[html5] r5499 - [giow] (2) Make policy checks for <script> happen after the flag is set that pre [...]
whatwg at whatwg.org
whatwg at whatwg.org
Sat Sep 25 12:59:32 PDT 2010
Author: ianh
Date: 2010-09-25 12:59:30 -0700 (Sat, 25 Sep 2010)
New Revision: 5499
Modified:
complete.html
index
source
Log:
[giow] (2) Make policy checks for <script> happen after the flag is set that prevents the script from being run again, so that if somehow an attacker causes a document to be reinserted somewhere that has scripts enabled, the scripts still won't run.
Fixing http://www.w3.org/Bugs/Public/show_bug.cgi?id=10523
Modified: complete.html
===================================================================
--- complete.html 2010-09-25 19:36:15 UTC (rev 5498)
+++ complete.html 2010-09-25 19:59:30 UTC (rev 5499)
@@ -14250,13 +14250,11 @@
<code><a href=#script>script</a></code> element is to be run, the user agent must act as
follows:</p>
- <ol><li id=script-processing-noscript>
+ <ol><li>
- <p>If <a href=#concept-n-noscript title=concept-n-noscript>scripting is
- disabled</a> for the <code><a href=#script>script</a></code> element, or if the
- <code><a href=#script>script</a></code> element is marked as having <a href=#already-started>"already
- started"</a>, then the user agent must abort these steps at
- this point. The script is not executed.</p>
+ <p>If the <code><a href=#script>script</a></code> element is marked as having
+ <a href=#already-started>"already started"</a>, then the user agent must abort
+ these steps at this point. The script is not executed.</p>
</li>
@@ -14328,18 +14326,6 @@
</li>
- <li id=script-processing-encoding>
-
- <p>If the <code><a href=#script>script</a></code> element has a <code title=attr-script-charset><a href=#attr-script-charset>charset</a></code> attribute, then let
- <var><a href="#the-script-block's-character-encoding">the script block's character encoding</a></var> for this
- <code><a href=#script>script</a></code> element be the encoding given by the <code title=attr-script-charset><a href=#attr-script-charset>charset</a></code> attribute.</p>
-
- <p>Otherwise, let <var><a href="#the-script-block's-character-encoding">the script block's character encoding</a></var>
- for this <code><a href=#script>script</a></code> element be the same as <a href="#document's-character-encoding" title="document's character encoding">the encoding of the document
- itself</a>.</p>
-
- </li>
-
<li id=script-processing-start>
<p>The user agent must set the element's <a href=#already-started>"already
@@ -14354,6 +14340,15 @@
</li>
+ <li id=script-processing-noscript>
+
+ <p>If <a href=#concept-n-noscript title=concept-n-noscript>scripting is
+ disabled</a> for the <code><a href=#script>script</a></code> element, then the user
+ agent must abort these steps at this point. The script is not
+ executed.</p>
+
+ </li>
+
<li id=script-processing-for>
<p>If the <code><a href=#script>script</a></code> element has an <code title=attr-script-event><a href=#attr-script-event>event</a></code> attribute and a <code title=attr-script-for><a href=#attr-script-for>for</a></code> attribute, then run these
@@ -14386,6 +14381,18 @@
</li>
+ <li id=script-processing-encoding>
+
+ <p>If the <code><a href=#script>script</a></code> element has a <code title=attr-script-charset><a href=#attr-script-charset>charset</a></code> attribute, then let
+ <var><a href="#the-script-block's-character-encoding">the script block's character encoding</a></var> for this
+ <code><a href=#script>script</a></code> element be the encoding given by the <code title=attr-script-charset><a href=#attr-script-charset>charset</a></code> attribute.</p>
+
+ <p>Otherwise, let <var><a href="#the-script-block's-character-encoding">the script block's character encoding</a></var>
+ for this <code><a href=#script>script</a></code> element be the same as <a href="#document's-character-encoding" title="document's character encoding">the encoding of the document
+ itself</a>.</p>
+
+ </li>
+
<li id=script-processing-src-prepare>
<p>If the element has a <code title=attr-script-src><a href=#attr-script-src>src</a></code>
Modified: index
===================================================================
--- index 2010-09-25 19:36:15 UTC (rev 5498)
+++ index 2010-09-25 19:59:30 UTC (rev 5499)
@@ -14227,13 +14227,11 @@
<code><a href=#script>script</a></code> element is to be run, the user agent must act as
follows:</p>
- <ol><li id=script-processing-noscript>
+ <ol><li>
- <p>If <a href=#concept-n-noscript title=concept-n-noscript>scripting is
- disabled</a> for the <code><a href=#script>script</a></code> element, or if the
- <code><a href=#script>script</a></code> element is marked as having <a href=#already-started>"already
- started"</a>, then the user agent must abort these steps at
- this point. The script is not executed.</p>
+ <p>If the <code><a href=#script>script</a></code> element is marked as having
+ <a href=#already-started>"already started"</a>, then the user agent must abort
+ these steps at this point. The script is not executed.</p>
</li>
@@ -14305,18 +14303,6 @@
</li>
- <li id=script-processing-encoding>
-
- <p>If the <code><a href=#script>script</a></code> element has a <code title=attr-script-charset><a href=#attr-script-charset>charset</a></code> attribute, then let
- <var><a href="#the-script-block's-character-encoding">the script block's character encoding</a></var> for this
- <code><a href=#script>script</a></code> element be the encoding given by the <code title=attr-script-charset><a href=#attr-script-charset>charset</a></code> attribute.</p>
-
- <p>Otherwise, let <var><a href="#the-script-block's-character-encoding">the script block's character encoding</a></var>
- for this <code><a href=#script>script</a></code> element be the same as <a href="#document's-character-encoding" title="document's character encoding">the encoding of the document
- itself</a>.</p>
-
- </li>
-
<li id=script-processing-start>
<p>The user agent must set the element's <a href=#already-started>"already
@@ -14331,6 +14317,15 @@
</li>
+ <li id=script-processing-noscript>
+
+ <p>If <a href=#concept-n-noscript title=concept-n-noscript>scripting is
+ disabled</a> for the <code><a href=#script>script</a></code> element, then the user
+ agent must abort these steps at this point. The script is not
+ executed.</p>
+
+ </li>
+
<li id=script-processing-for>
<p>If the <code><a href=#script>script</a></code> element has an <code title=attr-script-event><a href=#attr-script-event>event</a></code> attribute and a <code title=attr-script-for><a href=#attr-script-for>for</a></code> attribute, then run these
@@ -14363,6 +14358,18 @@
</li>
+ <li id=script-processing-encoding>
+
+ <p>If the <code><a href=#script>script</a></code> element has a <code title=attr-script-charset><a href=#attr-script-charset>charset</a></code> attribute, then let
+ <var><a href="#the-script-block's-character-encoding">the script block's character encoding</a></var> for this
+ <code><a href=#script>script</a></code> element be the encoding given by the <code title=attr-script-charset><a href=#attr-script-charset>charset</a></code> attribute.</p>
+
+ <p>Otherwise, let <var><a href="#the-script-block's-character-encoding">the script block's character encoding</a></var>
+ for this <code><a href=#script>script</a></code> element be the same as <a href="#document's-character-encoding" title="document's character encoding">the encoding of the document
+ itself</a>.</p>
+
+ </li>
+
<li id=script-processing-src-prepare>
<p>If the element has a <code title=attr-script-src><a href=#attr-script-src>src</a></code>
Modified: source
===================================================================
--- source 2010-09-25 19:36:15 UTC (rev 5498)
+++ source 2010-09-25 19:59:30 UTC (rev 5499)
@@ -15074,13 +15074,11 @@
<ol>
- <li id="script-processing-noscript">
+ <li>
- <p>If <span title="concept-n-noscript">scripting is
- disabled</span> for the <code>script</code> element, or if the
- <code>script</code> element is marked as having <span>"already
- started"</span>, then the user agent must abort these steps at
- this point. The script is not executed.</p>
+ <p>If the <code>script</code> element is marked as having
+ <span>"already started"</span>, then the user agent must abort
+ these steps at this point. The script is not executed.</p>
</li>
@@ -15168,21 +15166,6 @@
</li>
- <li id="script-processing-encoding">
-
- <p>If the <code>script</code> element has a <code
- title="attr-script-charset">charset</code> attribute, then let
- <var>the script block's character encoding</var> for this
- <code>script</code> element be the encoding given by the <code
- title="attr-script-charset">charset</code> attribute.</p>
-
- <p>Otherwise, let <var>the script block's character encoding</var>
- for this <code>script</code> element be the same as <span
- title="document's character encoding">the encoding of the document
- itself</span>.</p>
-
- </li>
-
<li id="script-processing-start">
<p>The user agent must set the element's <span>"already
@@ -15197,6 +15180,15 @@
</li>
+ <li id="script-processing-noscript">
+
+ <p>If <span title="concept-n-noscript">scripting is
+ disabled</span> for the <code>script</code> element, then the user
+ agent must abort these steps at this point. The script is not
+ executed.</p>
+
+ </li>
+
<li id="script-processing-for">
<p>If the <code>script</code> element has an <code
@@ -15240,6 +15232,21 @@
</li>
+ <li id="script-processing-encoding">
+
+ <p>If the <code>script</code> element has a <code
+ title="attr-script-charset">charset</code> attribute, then let
+ <var>the script block's character encoding</var> for this
+ <code>script</code> element be the encoding given by the <code
+ title="attr-script-charset">charset</code> attribute.</p>
+
+ <p>Otherwise, let <var>the script block's character encoding</var>
+ for this <code>script</code> element be the same as <span
+ title="document's character encoding">the encoding of the document
+ itself</span>.</p>
+
+ </li>
+
<li id="script-processing-src-prepare">
<p>If the element has a <code title="attr-script-src">src</code>
More information about the Commit-Watchers
mailing list