- From: Robert O'Callahan <robert@ocallahan.org>
- Date: Fri, 23 Apr 2010 11:28:47 +1200
See https://bugzilla.mozilla.org/show_bug.cgi?id=519928 Suppose we have a <script> element inside a contenteditable parent. Should the script run? What about on* attribute event handlers, should they fire in response to events? What about <object> plugins inside a contenteditable parent, should they be instantiated? In Webkit, scripts, event handlers and plugins run normally. IE disables them. Gecko disables them when designmode is used but enables them for contenteditable. In https://bugzilla.mozilla.org/show_bug.cgi?id=519928#c46a CKEditor developer argues forcefully that we should disable them. If we do choose to disable them, exactly how this should be specced is not completely clear to me. There is a side issue of how editable <iframe>s should be treated. Presumably we should load the subdocument, but if we disabled scripts for editable content, should we allow scripts to run inside the <iframe> document? Probably yes to allow framebusting to run. Perhaps we should prevent user events from being delivered to the <iframe> document though? Rob -- "He was pierced for our transgressions, he was crushed for our iniquities; the punishment that brought us peace was upon him, and by his wounds we are healed. We all, like sheep, have gone astray, each of us has turned to his own way; and the LORD has laid on him the iniquity of us all." [Isaiah 53:5-6] -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20100423/7e848c68/attachment.htm>
Received on Thursday, 22 April 2010 16:28:47 UTC