- From: David Woolley <david@djwhome.demon.co.uk>
- Date: Sat, 28 Jun 2003 14:46:33 +0100 (BST)
- To: www-html@w3.org
> document.write("complete paragraph<");
This is would be borderline invalid in HTML 4 as well, as a special
case of a rule that the result of any document.write type behaviour
(document.write is mentioned but not defined) should be syntactically
valid both before and execution of the script. In HTML 4 Strict, the only
reason that this might be technically allowed is that </P> is redundant,
and the two parts of the closing tag were written within the same
script element. There are also other rules, often ignored by browsers,
that prevent the inclusion of scripting at all in certain places.
I'm pretty sure that both rules are violated in common web site coding
idioms.
The above is included in the HTML 4 recommendation document, so presumably
on topic, the following is off topic.
The way I read the W3C document object model specifications is that
document.write is never allowed on the primary document as the writer
did not open it, and closing the document.write document would destroy
the current document. If that interpretation is correct, the common, load
time, use of document.write is only sanctioned by the non-standardised
"document object 0" that represents legacy DOM features in Mozilla, etc.
I think the real philosophical reason for the restrictions on document.write
are that the document object model is intended for manipulating the
tree that represents a model of a document, not for writing unstructured
fragments of a serialised, textual, version of the object model.
<BorderlineBackOnTopic>
If the designers of HTML had wanted macro-processing facilities in HTML
they should have used SGML marked sections and SGML entities. I can't
remember if marked sections made it into XML outside of the DTD and
CDATA sections. Their use would require a validating parser, but I would
argue that any parser that processes document.write has to be a validating
parser for the scripting language used, so making it validating for XML
(maybe with a cache of standard DTDs built in) would be no hardship.
If not "enhanced" by the vendors (e.g. by defining pseudo-entities that
ran ActiveX objects), such a mechanism would be a lot safer
than sripting, and I might be prepared to allow it by default. There
might still be some risk of denial of service, by recursion, and some
residual buffer overrun vulnerabilities. There might still be a privacy
issue in that any browser defined entity might be revealed to the web
site.
Received on Saturday, 28 June 2003 09:47:10 UTC