[whatwg] Should scripts and plugins in contenteditable content be enabled or disabled?
Simon Pieters
simonp at opera.com
Fri Apr 23 01:34:46 PDT 2010
On Fri, 23 Apr 2010 08:52:29 +0200, Simon Pieters <simonp at opera.com> wrote:
> On Fri, 23 Apr 2010 01:28:47 +0200, Robert O'Callahan
> <robert at ocallahan.org> wrote:
>
>> See https://bugzilla.mozilla.org/show_bug.cgi?id=519928
>>
>> Suppose we have a <script> element inside a contenteditable parent.
>> Should
>> the script run? What about on* attribute event handlers, should they
>> fire in
>> response to events? What about <object> plugins inside a contenteditable
>> parent, should they be instantiated?
>>
>> In Webkit, scripts, event handlers and plugins run normally. IE disables
>> them. Gecko disables them when designmode is used but enables them for
>> contenteditable. In
>> https://bugzilla.mozilla.org/show_bug.cgi?id=519928#c46a CKEditor
>> developer argues forcefully that we should disable them.
>>
>> If we do choose to disable them, exactly how this should be specced is
>> not
>> completely clear to me.
>>
>> There is a side issue of how editable <iframe>s should be treated.
>> Presumably we should load the subdocument, but if we disabled scripts
>> for
>> editable content, should we allow scripts to run inside the <iframe>
>> document? Probably yes to allow framebusting to run. Perhaps we should
>> prevent user events from being delivered to the <iframe> document
>> though?
>
> I think scripts, event handlers and plugins should run normally in
> contenteditable. Opera have tried hard to reverse engineer and implement
> the script disabling behavior for designMode in IE and Mozilla, but
> really I think it would be saner if we let scripts, event handlers and
> plugins run normally in designMode as well.
>
> http://lists.w3.org/Archives/Public/public-html/2007Nov/0218.html
> http://lists.w3.org/Archives/Public/public-html/2008Mar/0038.html
>
> (We might have changed behavior again slightly for compat with some
> sites, I don't recall the details.)
Apparently the details are as follows:
[[
pre-included scripts run -
http://software.hixie.ch/utilities/js/live-dom-viewer/saved/456 (same as
before afaict, but unlike Gecko)
inserted scripts do not run -
http://software.hixie.ch/utilities/js/live-dom-viewer/saved/457
eventlisteners work -
http://software.hixie.ch/utilities/js/live-dom-viewer/saved/458 (new
behavior, this was what broke Y!Mail, ebay, baidu)
on* attributes do not work -
http://software.hixie.ch/utilities/js/live-dom-viewer/saved/459 (same as
before)
]]
> It seems Hixie has decided to go back to the WebKit behavior in the spec
> for designMode.
>
> http://html5.org/tools/web-apps-tracker?from=2817&to=2818
>
--
Simon Pieters
Opera Software
More information about the whatwg
mailing list