[whatwg] Fallback behavior
Simon Pieters
simonp at opera.com
Thu Aug 21 17:11:06 PDT 2008
On Thu, 21 Aug 2008 23:54:44 +0200, Jonas Sicking <jonas at sicking.cc> wrote:
> Here is the list of elements that we *don't* execute scripts inside of
> in firefox:
>
> http://mxr.mozilla.org/mozilla-central/source/content/base/src/nsScriptElement.cpp#148
>
> i.e. <iframe>, <noframes>, <noembed>
>
> Everywhere else we do execute the script.
>
> The reason these elements ended up at the list is in bugs
> https://bugzilla.mozilla.org/show_bug.cgi?id=5847
> https://bugzilla.mozilla.org/show_bug.cgi?id=26669
iframe, noframes and noembed are parsed as CDATA elements
http://software.hixie.ch/utilities/js/live-dom-viewer/?%3C!DOCTYPE%20html%3E%0D%0A%3Ciframe%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E%3C%2Fiframe%3E
so there can't be any script elements as children of those in text/html.
In Opera and WebKit, the script executes in
data:text/xml,<iframe
xmlns='http://www.w3.org/1999/xhtml'><script>alert(1)</script></iframe>
and it hasn't caused us any problems AFAIK.
--
Simon Pieters
Opera Software
More information about the whatwg
mailing list