[whatwg] Should scripts and plugins in contenteditable content be enabled or disabled?

See https://bugzilla.mozilla.org/show_bug.cgi?id=519928

Suppose we have a <script> element inside a contenteditable parent. Should
the script run? What about on* attribute event handlers, should they fire in
response to events? What about <object> plugins inside a contenteditable
parent, should they be instantiated?

In Webkit, scripts, event handlers and plugins run normally. IE disables
them. Gecko disables them when designmode is used but enables them for
contenteditable. In
https://bugzilla.mozilla.org/show_bug.cgi?id=519928#c46a CKEditor
developer argues forcefully that we should disable them.

If we do choose to disable them, exactly how this should be specced is not
completely clear to me.

There is a side issue of how editable <iframe>s should be treated.
Presumably we should load the subdocument, but if we disabled scripts for
editable content, should we allow scripts to run inside the <iframe>
document? Probably yes to allow framebusting to run. Perhaps we should
prevent user events from being delivered to the <iframe> document though?

Rob
-- 
"He was pierced for our transgressions, he was crushed for our iniquities;
the punishment that brought us peace was upon him, and by his wounds we are
healed. We all, like sheep, have gone astray, each of us has turned to his
own way; and the LORD has laid on him the iniquity of us all." [Isaiah
53:5-6]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20100423/7e848c68/attachment.htm>

Received on Thursday, 22 April 2010 16:28:47 UTC