Greetings all,<div><br></div><div>I'm working on the <a href="https://bugs.webkit.org/show_bug.cgi?id=12234">WebKit bug 12234 - Using createContextualFragment to insert a <script> does not cause the script to execute</a>. While investigating the issue, the following part of HTML5 spec came to my attention:</div>
<div><br></div><div><b><a href="http://www.whatwg.org/specs/web-apps/current-work/#parsing-main-inhead">10.2.5.7 The "in head" insertion mode</a></b></div><div>...</div><div><ul><li><b>A start tag whose tag name is "script"</b><br>
</li><ol><li>If the parser was originally created for the HTML fragment parsing algorithm, then mark the script element as "already started". (fragment case)</li></ol></ul></div><div>Since <a href="http://www.whatwg.org/specs/web-apps/current-work/#fragment-case">10.4 Parsing HTML fragments</a> does not special case the script element, this seem to imply that we never execute <meta charset="utf-8">scripts inserted by the HTML fragment parsing algorithm. Am I right?</div>
<div><br></div><div>To give you more concrete example, should the following markup show the alert or not?</div><div><meta charset="utf-8"><span class="Apple-style-span" style="font-family: Verdana, sans-serif; border-collapse: collapse; -webkit-border-horizontal-spacing: 1px; -webkit-border-vertical-spacing: 1px; "><pre class="bz_comment_text" id="comment_text_1" style="font-size: medium; font-family: monospace; white-space: pre-wrap; width: auto; ">
<!DOCTYPE html>
<html>
<script>
document.body.innerHTML+="<scr"+"ipt>alert('SUCCESS')</scr"+"ipt>";
</script>
</html></pre></span></div><div><br></div><div>Best regards,</div><div>Ryosuke Niwa<br><font color="#999999">Software Engineer</font><div><font color="#999999">Google Inc.</font></div><div><font color="#999999"><br>
</font></div><br>
</div>