- From: Ian Hickson <ian@hixie.ch>
- Date: Mon, 22 Jun 2015 00:01:04 +0000 (UTC)
- To: Niels Keurentjes <niels.keurentjes@omines.com>
- Cc: "whatwg@whatwg.org" <whatwg@whatwg.org>
On Sun, 21 Jun 2015, Niels Keurentjes wrote: > > I ran into a discussion on Stack Overflow in this topic: > http://stackoverflow.com/q/30952737/1729885, regarding embedding the > following code snippet in an HTML document: > > <svg><script>alert(1)</script></svg> > > The character references translate to "alert(1)". I have confirmed that, > in all the latest versions of IE, Chrome and Firefox, this code is > executed, whilst it is not if the <svg> container is omitted. I neither > think this is intentional nor wanted behavior, as HTML5 explicitly > defines a separate script parsing mode which handles character > references as plain text. It's not great, but it is intentional. Within <svg> and <math> blocks, we use the "foreign content" parsing mode wherein parsing is much more similar to legacy XML parsing than legacy HTML parsing: https://html.spec.whatwg.org/#parsing-main-inforeign Note in particular that the special behaviour for <script> here doesn't include changing the tokeniser mode, like it would in non-foreign content. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 22 June 2015 00:01:31 UTC