- From: Anne van Kesteren <annevk@opera.com>
- Date: Thu, 26 Aug 2010 23:59:47 +0200
On Thu, 26 Aug 2010 22:30:00 +0200, Julian Reschke <julian.reschke at gmx.de> wrote: > I now get the point about the additional problems in script, but I fail > to see how the proposal addresses this, unless expanding these entities > is suppose to happen *after* parsing the script. If you have ele.innerHTML = '&%....;' inside <script> it would be expanded the moment innerHTML is invoked (inside script entities are not expanded) and thus be safe from "</script>" injection and such. So yes, it happens after. -- Anne van Kesteren http://annevankesteren.nl/
Received on Thursday, 26 August 2010 14:59:47 UTC