[whatwg] Fallback behavior

Simon Pieters simonp at opera.com
Thu Aug 21 17:11:06 PDT 2008


On Thu, 21 Aug 2008 23:54:44 +0200, Jonas Sicking <jonas at sicking.cc> wrote:

> Here is the list of elements that we *don't* execute scripts inside of  
> in firefox:
>
> http://mxr.mozilla.org/mozilla-central/source/content/base/src/nsScriptElement.cpp#148
>
> i.e. <iframe>, <noframes>, <noembed>
>
> Everywhere else we do execute the script.
>
> The reason these elements ended up at the list is in bugs
> https://bugzilla.mozilla.org/show_bug.cgi?id=5847
> https://bugzilla.mozilla.org/show_bug.cgi?id=26669

iframe, noframes and noembed are parsed as CDATA elements

    http://software.hixie.ch/utilities/js/live-dom-viewer/?%3C!DOCTYPE%20html%3E%0D%0A%3Ciframe%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E%3C%2Fiframe%3E

so there can't be any script elements as children of those in text/html.  
In Opera and WebKit, the script executes in

    data:text/xml,<iframe  
xmlns='http://www.w3.org/1999/xhtml'><script>alert(1)</script></iframe>

and it hasn't caused us any problems AFAIK.

-- 
Simon Pieters
Opera Software



More information about the whatwg mailing list