Re: script tags fire in a switch element from Erik Dahlström on 2014-02-11 (www-svg@w3.org from February 2014)

From: Erik Dahlström <ed@opera.com>
Date: Tue, 11 Feb 2014 13:44:04 +0100
To: www-svg@w3.org, "Miles Elam" <mcelam@google.com>
Message-ID: <op.xa4azqaxdhsuf5@gnorps>

The SVG WG discussed this issue at the most recent F2F meeting, see  
minutes here[1]

It was resolved that <switch> should not affect <script> processing, and  
the SVG2 spec has been updated to state this[2].

Thank you for your feedback.


[1] http://www.w3.org/2014/01/30-svg-minutes.html#item02
[2] https://svgwg.org/svg2-draft/struct.html#SwitchElement

On Fri, 17 Jan 2014 01:01:40 +0100, Miles Elam <mcelam@google.com> wrote:

> Example URL:
> http://jsbin.com/ABOzeDAR/2
>
> Alert box shown even though the script tag should be in a deactivated
> portion of the switch element.
>
> I was exploring this as a way of getting IE SMIL support to work by
> enabling the FakeSmile (SMIL polyfill) script only when the
> declarative animation feature is missing, i.e., 'switch' with
> requiredFeatures="http://www.w3.org/TR/SVG11/feature#Animation".
> Unfortunately, Chrome, FireFox, and Safari all execute the script
> regardless of placement whereas purely visual elements work as
> expected when placed in the switch.
>
> I found this unintuitive. As a Mozilla contributor noted, "‘script’
> should actually only be valid if it is a child of ‘a’, ‘defs’,
> ‘glyph’, ‘g’, ‘marker’, ‘missing-glyph’, ‘pattern’, ‘svg’, and
> ‘symbol'. By the letter of the svg specification therefore it should
> be ignored even if it is the active child of a switch (unless you made
> the script the child of a valid container like an svg or g element)."
>
> So I may have been in error in trying the script tag in the switch
> element, but given that it's invalid either way, I find it troubling
> that a script gets executed regardless of context.
>
> The spec would do well to have the behavior codified. Also, is there
> any proposal for incorporating such polyfills without scripting? I
> though I had found one with the switch element, but obviously not in
> practice.
>
> One of my goals was to have an easily validated SVG model that was
> purely declarative, meaning in this case SVG + SMIL. Once event
> handlers, script tags, and executable data URIs enter in the picture,
> the potential exploit surface becomes vastly larger. The introduction
> of the SMIL polyfill was only meant to be limited pragmatism toward
> Microsoft's...shall we say independence.
>
> I'd like to use declarative feature detection, but as it stands I'm
> stuck with adding the script everywhere or doing server side
> modification by user agent sniffing, i.e., non-optimal, and there is
> no guidance here with regard to a spec that I can refer to during bug
> reports.
>
>
> Cheers,
>
> Miles Elam
>
>


-- 
Erik Dahlstrom, Web Technology Developer, Opera Software
Co-Chair, W3C SVG Working Group

Received on Tuesday, 11 February 2014 12:44:42 UTC