[whatwg] Should scripts and plugins in contenteditable content be enabled or disabled?

Simon Pieters simonp at opera.com
Fri Apr 23 01:34:46 PDT 2010

On Fri, 23 Apr 2010 08:52:29 +0200, Simon Pieters <simonp at opera.com> wrote:

> On Fri, 23 Apr 2010 01:28:47 +0200, Robert O'Callahan  
> <robert at ocallahan.org> wrote:
>> See https://bugzilla.mozilla.org/show_bug.cgi?id=519928
>> Suppose we have a <script> element inside a contenteditable parent.  
>> Should
>> the script run? What about on* attribute event handlers, should they  
>> fire in
>> response to events? What about <object> plugins inside a contenteditable
>> parent, should they be instantiated?
>> In Webkit, scripts, event handlers and plugins run normally. IE disables
>> them. Gecko disables them when designmode is used but enables them for
>> contenteditable. In
>> https://bugzilla.mozilla.org/show_bug.cgi?id=519928#c46a CKEditor
>> developer argues forcefully that we should disable them.
>> If we do choose to disable them, exactly how this should be specced is  
>> not
>> completely clear to me.
>> There is a side issue of how editable <iframe>s should be treated.
>> Presumably we should load the subdocument, but if we disabled scripts  
>> for
>> editable content, should we allow scripts to run inside the <iframe>
>> document? Probably yes to allow framebusting to run. Perhaps we should
>> prevent user events from being delivered to the <iframe> document  
>> though?
> I think scripts, event handlers and plugins should run normally in  
> contenteditable. Opera have tried hard to reverse engineer and implement  
> the script disabling behavior for designMode in IE and Mozilla, but  
> really I think it would be saner if we let scripts, event handlers and  
> plugins run normally in designMode as well.
> http://lists.w3.org/Archives/Public/public-html/2007Nov/0218.html
> http://lists.w3.org/Archives/Public/public-html/2008Mar/0038.html
> (We might have changed behavior again slightly for compat with some  
> sites, I don't recall the details.)

Apparently the details are as follows:

pre-included scripts run -  
http://software.hixie.ch/utilities/js/live-dom-viewer/saved/456 (same as  
before afaict, but unlike Gecko)
inserted scripts do not run -  
eventlisteners work -  
http://software.hixie.ch/utilities/js/live-dom-viewer/saved/458 (new  
behavior, this was what broke Y!Mail, ebay, baidu)
on* attributes do not work -  
http://software.hixie.ch/utilities/js/live-dom-viewer/saved/459 (same as  

> It seems Hixie has decided to go back to the WebKit behavior in the spec  
> for designMode.
> http://html5.org/tools/web-apps-tracker?from=2817&to=2818

Simon Pieters
Opera Software

More information about the whatwg mailing list