[whatwg] Should script run if it comes from a HTML fragment?

After reading all the responses and consulting with several developers at
Google and other WebKit contributors, I have reached the conclusion that we
should fix this bug, and the script parsed by createContextualFragment
should, indeed, run when the fragment is inserted into a document.

I'll follow up when the bug is fixed and WebKit's behavior is matched that
of Firefox.

Best regards,
Ryosuke Niwa
Software Engineer
Google Inc.

On Thu, Nov 11, 2010 at 4:34 PM, Ryosuke Niwa <rniwa at webkit.org> wrote:

> Greetings all,
>
> I'm working on the WebKit bug 12234 - Using createContextualFragment to
> insert a <script> does not cause the script to execute<https://bugs.webkit.org/show_bug.cgi?id=12234>.
>  While investigating the issue, the following part of HTML5 spec came to my
> attention:
>
> *10.2.5.7 The "in head" insertion mode<http://www.whatwg.org/specs/web-apps/current-work/#parsing-main-inhead>
> *
> ...
>
>    - *A start tag whose tag name is "script"*
>    1. If the parser was originally created for the HTML fragment parsing
>       algorithm, then mark the script element as "already started". (fragment
>       case)
>
> Since 10.4 Parsing HTML fragments<http://www.whatwg.org/specs/web-apps/current-work/#fragment-case>does not special case the script element, this seem to imply that we never
> execute scripts inserted by the HTML fragment parsing algorithm.  Am I
> right?
>
> To give you more concrete example, should the following markup show the
> alert or not?
>
>
> <!DOCTYPE html>
> <html>
> <script>
> document.body.innerHTML+="<scr"+"ipt>alert('SUCCESS')</scr"+"ipt>";
> </script>
> </html>
>
>
> Best regards,
> Ryosuke Niwa
> Software Engineer
> Google Inc.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20101201/30adf632/attachment-0001.htm>

Received on Wednesday, 1 December 2010 11:54:17 UTC