[html5] r5499 - [giow] (2) Make policy checks for <script> happen after the flag is set that pre [...]

whatwg at whatwg.org whatwg at whatwg.org
Sat Sep 25 12:59:32 PDT 2010


Author: ianh
Date: 2010-09-25 12:59:30 -0700 (Sat, 25 Sep 2010)
New Revision: 5499

Modified:
   complete.html
   index
   source
Log:
[giow] (2) Make policy checks for <script> happen after the flag is set that prevents the script from being run again, so that if somehow an attacker causes a document to be reinserted somewhere that has scripts enabled, the scripts still won't run.
Fixing http://www.w3.org/Bugs/Public/show_bug.cgi?id=10523

Modified: complete.html
===================================================================
--- complete.html	2010-09-25 19:36:15 UTC (rev 5498)
+++ complete.html	2010-09-25 19:59:30 UTC (rev 5499)
@@ -14250,13 +14250,11 @@
   <code><a href=#script>script</a></code> element is to be run, the user agent must act as
   follows:</p>
 
-  <ol><li id=script-processing-noscript>
+  <ol><li>
 
-    <p>If <a href=#concept-n-noscript title=concept-n-noscript>scripting is
-    disabled</a> for the <code><a href=#script>script</a></code> element, or if the
-    <code><a href=#script>script</a></code> element is marked as having <a href=#already-started>"already
-    started"</a>, then the user agent must abort these steps at
-    this point. The script is not executed.</p>
+    <p>If the <code><a href=#script>script</a></code> element is marked as having
+    <a href=#already-started>"already started"</a>, then the user agent must abort
+    these steps at this point. The script is not executed.</p>
 
    </li>
 
@@ -14328,18 +14326,6 @@
 
    </li>
 
-   <li id=script-processing-encoding>
-
-    <p>If the <code><a href=#script>script</a></code> element has a <code title=attr-script-charset><a href=#attr-script-charset>charset</a></code> attribute, then let
-    <var><a href="#the-script-block's-character-encoding">the script block's character encoding</a></var> for this
-    <code><a href=#script>script</a></code> element be the encoding given by the <code title=attr-script-charset><a href=#attr-script-charset>charset</a></code> attribute.</p>
-
-    <p>Otherwise, let <var><a href="#the-script-block's-character-encoding">the script block's character encoding</a></var>
-    for this <code><a href=#script>script</a></code> element be the same as <a href="#document's-character-encoding" title="document's character encoding">the encoding of the document
-    itself</a>.</p>
-
-   </li>
-
    <li id=script-processing-start>
 
     <p>The user agent must set the element's <a href=#already-started>"already
@@ -14354,6 +14340,15 @@
 
    </li>
 
+   <li id=script-processing-noscript>
+
+    <p>If <a href=#concept-n-noscript title=concept-n-noscript>scripting is
+    disabled</a> for the <code><a href=#script>script</a></code> element, then the user
+    agent must abort these steps at this point. The script is not
+    executed.</p>
+
+   </li>
+
    <li id=script-processing-for>
 
     <p>If the <code><a href=#script>script</a></code> element has an <code title=attr-script-event><a href=#attr-script-event>event</a></code> attribute and a <code title=attr-script-for><a href=#attr-script-for>for</a></code> attribute, then run these
@@ -14386,6 +14381,18 @@
 
    </li>
 
+   <li id=script-processing-encoding>
+
+    <p>If the <code><a href=#script>script</a></code> element has a <code title=attr-script-charset><a href=#attr-script-charset>charset</a></code> attribute, then let
+    <var><a href="#the-script-block's-character-encoding">the script block's character encoding</a></var> for this
+    <code><a href=#script>script</a></code> element be the encoding given by the <code title=attr-script-charset><a href=#attr-script-charset>charset</a></code> attribute.</p>
+
+    <p>Otherwise, let <var><a href="#the-script-block's-character-encoding">the script block's character encoding</a></var>
+    for this <code><a href=#script>script</a></code> element be the same as <a href="#document's-character-encoding" title="document's character encoding">the encoding of the document
+    itself</a>.</p>
+
+   </li>
+
    <li id=script-processing-src-prepare>
 
     <p>If the element has a <code title=attr-script-src><a href=#attr-script-src>src</a></code>

Modified: index
===================================================================
--- index	2010-09-25 19:36:15 UTC (rev 5498)
+++ index	2010-09-25 19:59:30 UTC (rev 5499)
@@ -14227,13 +14227,11 @@
   <code><a href=#script>script</a></code> element is to be run, the user agent must act as
   follows:</p>
 
-  <ol><li id=script-processing-noscript>
+  <ol><li>
 
-    <p>If <a href=#concept-n-noscript title=concept-n-noscript>scripting is
-    disabled</a> for the <code><a href=#script>script</a></code> element, or if the
-    <code><a href=#script>script</a></code> element is marked as having <a href=#already-started>"already
-    started"</a>, then the user agent must abort these steps at
-    this point. The script is not executed.</p>
+    <p>If the <code><a href=#script>script</a></code> element is marked as having
+    <a href=#already-started>"already started"</a>, then the user agent must abort
+    these steps at this point. The script is not executed.</p>
 
    </li>
 
@@ -14305,18 +14303,6 @@
 
    </li>
 
-   <li id=script-processing-encoding>
-
-    <p>If the <code><a href=#script>script</a></code> element has a <code title=attr-script-charset><a href=#attr-script-charset>charset</a></code> attribute, then let
-    <var><a href="#the-script-block's-character-encoding">the script block's character encoding</a></var> for this
-    <code><a href=#script>script</a></code> element be the encoding given by the <code title=attr-script-charset><a href=#attr-script-charset>charset</a></code> attribute.</p>
-
-    <p>Otherwise, let <var><a href="#the-script-block's-character-encoding">the script block's character encoding</a></var>
-    for this <code><a href=#script>script</a></code> element be the same as <a href="#document's-character-encoding" title="document's character encoding">the encoding of the document
-    itself</a>.</p>
-
-   </li>
-
    <li id=script-processing-start>
 
     <p>The user agent must set the element's <a href=#already-started>"already
@@ -14331,6 +14317,15 @@
 
    </li>
 
+   <li id=script-processing-noscript>
+
+    <p>If <a href=#concept-n-noscript title=concept-n-noscript>scripting is
+    disabled</a> for the <code><a href=#script>script</a></code> element, then the user
+    agent must abort these steps at this point. The script is not
+    executed.</p>
+
+   </li>
+
    <li id=script-processing-for>
 
     <p>If the <code><a href=#script>script</a></code> element has an <code title=attr-script-event><a href=#attr-script-event>event</a></code> attribute and a <code title=attr-script-for><a href=#attr-script-for>for</a></code> attribute, then run these
@@ -14363,6 +14358,18 @@
 
    </li>
 
+   <li id=script-processing-encoding>
+
+    <p>If the <code><a href=#script>script</a></code> element has a <code title=attr-script-charset><a href=#attr-script-charset>charset</a></code> attribute, then let
+    <var><a href="#the-script-block's-character-encoding">the script block's character encoding</a></var> for this
+    <code><a href=#script>script</a></code> element be the encoding given by the <code title=attr-script-charset><a href=#attr-script-charset>charset</a></code> attribute.</p>
+
+    <p>Otherwise, let <var><a href="#the-script-block's-character-encoding">the script block's character encoding</a></var>
+    for this <code><a href=#script>script</a></code> element be the same as <a href="#document's-character-encoding" title="document's character encoding">the encoding of the document
+    itself</a>.</p>
+
+   </li>
+
    <li id=script-processing-src-prepare>
 
     <p>If the element has a <code title=attr-script-src><a href=#attr-script-src>src</a></code>

Modified: source
===================================================================
--- source	2010-09-25 19:36:15 UTC (rev 5498)
+++ source	2010-09-25 19:59:30 UTC (rev 5499)
@@ -15074,13 +15074,11 @@
 
   <ol>
 
-   <li id="script-processing-noscript">
+   <li>
 
-    <p>If <span title="concept-n-noscript">scripting is
-    disabled</span> for the <code>script</code> element, or if the
-    <code>script</code> element is marked as having <span>"already
-    started"</span>, then the user agent must abort these steps at
-    this point. The script is not executed.</p>
+    <p>If the <code>script</code> element is marked as having
+    <span>"already started"</span>, then the user agent must abort
+    these steps at this point. The script is not executed.</p>
 
    </li>
 
@@ -15168,21 +15166,6 @@
 
    </li>
 
-   <li id="script-processing-encoding">
-
-    <p>If the <code>script</code> element has a <code
-    title="attr-script-charset">charset</code> attribute, then let
-    <var>the script block's character encoding</var> for this
-    <code>script</code> element be the encoding given by the <code
-    title="attr-script-charset">charset</code> attribute.</p>
-
-    <p>Otherwise, let <var>the script block's character encoding</var>
-    for this <code>script</code> element be the same as <span
-    title="document's character encoding">the encoding of the document
-    itself</span>.</p>
-
-   </li>
-
    <li id="script-processing-start">
 
     <p>The user agent must set the element's <span>"already
@@ -15197,6 +15180,15 @@
 
    </li>
 
+   <li id="script-processing-noscript">
+
+    <p>If <span title="concept-n-noscript">scripting is
+    disabled</span> for the <code>script</code> element, then the user
+    agent must abort these steps at this point. The script is not
+    executed.</p>
+
+   </li>
+
    <li id="script-processing-for">
 
     <p>If the <code>script</code> element has an <code
@@ -15240,6 +15232,21 @@
 
    </li>
 
+   <li id="script-processing-encoding">
+
+    <p>If the <code>script</code> element has a <code
+    title="attr-script-charset">charset</code> attribute, then let
+    <var>the script block's character encoding</var> for this
+    <code>script</code> element be the encoding given by the <code
+    title="attr-script-charset">charset</code> attribute.</p>
+
+    <p>Otherwise, let <var>the script block's character encoding</var>
+    for this <code>script</code> element be the same as <span
+    title="document's character encoding">the encoding of the document
+    itself</span>.</p>
+
+   </li>
+
    <li id="script-processing-src-prepare">
 
     <p>If the element has a <code title="attr-script-src">src</code>




More information about the Commit-Watchers mailing list