[whatwg] Handling of script elements inside rendered OBJECT

Shadow2531 shadow2531 at gmail.com
Thu May 11 02:56:27 PDT 2006


On 5/11/06, Lachlan Hunt <lachlan.hunt at lachy.id.au> wrote:
> Shadow2531 wrote:
> > <object type="text/html" data="about:blank">
> >    <script>alert('You should not see this!');</script>
> > </object>
> >
> > What should happen in situations like that?
> >
> > The script element is alternate content.
> > The object is rendered.
> > The script SHOULD NOT be executed *until* the alernate content is
> > rendered.
>
> If scripts inside <object> aren't executed, then consider what should
> happen with this:
>
> <script>
>    document.write("<object type=\"text/html\" data=\"test\">");
> </script>
> <p>alternate content for when both scripts and the object isn't
> supported</p>
> <script>
>    document.write("<\/object>");
> </script>
>
> Because of the way document.write() works by writing data back into the
> stream, the question is: if scripts inside objects are not executed, is
> the second script considered part of the alternate content and thus not
> executed?
> Lachlan Hunt
> http://lachy.id.au/
>

Ouch. I see your point.

That problem could be avoided by authors making sure each
document.write() wrote complete element markup instead of splitting it
up like in your example. However, your example is far too common and
unless I'm missing something, not executing scripts in object tags
would break lots of things. Ouch.

While we're at it though, can you think of other reasons?

Thanks

-- 
burnout426


More information about the whatwg mailing list