W3C home > Mailing lists > Public > whatwg@whatwg.org > June 2015

Re: [whatwg] Script parsing mode within SVG sections in HTML documents

From: Ian Hickson <ian@hixie.ch>
Date: Mon, 22 Jun 2015 00:01:04 +0000 (UTC)
To: Niels Keurentjes <niels.keurentjes@omines.com>
Message-ID: <alpine.DEB.2.00.1506212358190.30233@ps20323.dreamhostps.com>
Cc: "whatwg@whatwg.org" <whatwg@whatwg.org>
On Sun, 21 Jun 2015, Niels Keurentjes wrote:
>
> I ran into a discussion on Stack Overflow in this topic: 
> http://stackoverflow.com/q/30952737/1729885, regarding embedding the 
> following code snippet in an HTML document:
> 	
> <svg><script>&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;</script></svg>
> 
> The character references translate to "alert(1)". I have confirmed that, 
> in all the latest versions of IE, Chrome and Firefox, this code is 
> executed, whilst it is not if the <svg> container is omitted. I neither 
> think this is intentional nor wanted behavior, as HTML5 explicitly 
> defines a separate script parsing mode which handles character 
> references as plain text.

It's not great, but it is intentional. Within <svg> and <math> blocks, we 
use the "foreign content" parsing mode wherein parsing is much more 
similar to legacy XML parsing than legacy HTML parsing:

   https://html.spec.whatwg.org/#parsing-main-inforeign

Note in particular that the special behaviour for <script> here doesn't 
include changing the tokeniser mode, like it would in non-foreign content.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 22 June 2015 00:01:31 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:33 UTC