[whatwg] Fallback behavior
Jonas Sicking
jonas at sicking.cc
Thu Aug 21 17:31:43 PDT 2008
Simon Pieters wrote:
> On Thu, 21 Aug 2008 23:54:44 +0200, Jonas Sicking <jonas at sicking.cc> wrote:
>
>> Here is the list of elements that we *don't* execute scripts inside of
>> in firefox:
>>
>> http://mxr.mozilla.org/mozilla-central/source/content/base/src/nsScriptElement.cpp#148
>>
>>
>> i.e. <iframe>, <noframes>, <noembed>
>>
>> Everywhere else we do execute the script.
>>
>> The reason these elements ended up at the list is in bugs
>> https://bugzilla.mozilla.org/show_bug.cgi?id=5847
>> https://bugzilla.mozilla.org/show_bug.cgi?id=26669
>
> iframe, noframes and noembed are parsed as CDATA elements
>
>
> http://software.hixie.ch/utilities/js/live-dom-viewer/?%3C!DOCTYPE%20html%3E%0D%0A%3Ciframe%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E%3C%2Fiframe%3E
>
>
> so there can't be any script elements as children of those in text/html.
> In Opera and WebKit, the script executes in
>
> data:text/xml,<iframe
> xmlns='http://www.w3.org/1999/xhtml'><script>alert(1)</script></iframe>
>
> and it hasn't caused us any problems AFAIK.
Looks like firefox doesn't parse the contents of the <iframe> as markup
either, but rather treat it as CDATA. Which makes me wonder why we ever
look for <iframe>s in the parent chain :)
I suspect it's just remnants from when things worked differently, the
check was put in in 1999 :)
But the effect is that even in XHTML, like the example you're providing
above, scripts in iframes don't execute. This was not intentional though
given that this code was put in in 1999, before we had xhtml support.
/ Jonas
More information about the whatwg
mailing list