Re: [whatwg] Script parsing mode within SVG sections in HTML documents

On Sun, 21 Jun 2015, Niels Keurentjes wrote:
>
> I ran into a discussion on Stack Overflow in this topic: 
> http://stackoverflow.com/q/30952737/1729885, regarding embedding the 
> following code snippet in an HTML document:
> 	
> <svg><script>&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;</script></svg>
> 
> The character references translate to "alert(1)". I have confirmed that, 
> in all the latest versions of IE, Chrome and Firefox, this code is 
> executed, whilst it is not if the <svg> container is omitted. I neither 
> think this is intentional nor wanted behavior, as HTML5 explicitly 
> defines a separate script parsing mode which handles character 
> references as plain text.

It's not great, but it is intentional. Within <svg> and <math> blocks, we 
use the "foreign content" parsing mode wherein parsing is much more 
similar to legacy XML parsing than legacy HTML parsing:

   https://html.spec.whatwg.org/#parsing-main-inforeign

Note in particular that the special behaviour for <script> here doesn't 
include changing the tokeniser mode, like it would in non-foreign content.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Monday, 22 June 2015 00:01:31 UTC