W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2010

[whatwg] Should script run if it comes from a HTML fragment?

From: Ryosuke Niwa <rniwa@webkit.org>
Date: Thu, 11 Nov 2010 16:34:59 -0800
Message-ID: <AANLkTinWrxv0ST-s1uATZv2nm_sb0qtEEs6VpxDg3=Nv@mail.gmail.com>
Greetings all,

I'm working on the WebKit bug 12234 - Using createContextualFragment to
insert a <script> does not cause the script to
execute<https://bugs.webkit.org/show_bug.cgi?id=12234>.
 While investigating the issue, the following part of HTML5 spec came to my
attention:

*10.2.5.7 The "in head" insertion
mode<http://www.whatwg.org/specs/web-apps/current-work/#parsing-main-inhead>
*
...

   - *A start tag whose tag name is "script"*
   1. If the parser was originally created for the HTML fragment parsing
      algorithm, then mark the script element as "already started". (fragment
      case)

Since 10.4 Parsing HTML
fragments<http://www.whatwg.org/specs/web-apps/current-work/#fragment-case>does
not special case the script element, this seem to imply that we never
execute scripts inserted by the HTML fragment parsing algorithm.  Am I
right?

To give you more concrete example, should the following markup show the
alert or not?


<!DOCTYPE html>
<html>
<script>
document.body.innerHTML+="<scr"+"ipt>alert('SUCCESS')</scr"+"ipt>";
</script>
</html>


Best regards,
Ryosuke Niwa
Software Engineer
Google Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20101111/cb2d0867/attachment.htm>
Received on Thursday, 11 November 2010 16:34:59 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:28 UTC