[whatwg] Should script run if it comes from a HTML fragment?

Jonas Sicking jonas at sicking.cc
Fri Nov 12 15:11:42 PST 2010

On Fri, Nov 12, 2010 at 2:54 PM, Ryosuke Niwa <rniwa at webkit.org> wrote:
> On Fri, Nov 12, 2010 at 2:29 PM, Jonas Sicking <jonas at sicking.cc> wrote:
>> You looking at only part of what Henri said. He also pointed to
>> http://www.w3.org/Bugs/Public/show_bug.cgi?id=11191
>> which is a request to change HTML5 so that createContextualFragment
>> can specify that scripts should remain executable.
> However, this request has not been granted yet.

I'm not sure what your argument is? This is just an editorial matter,
createContextualFragment can always be defined to behave whatever way
we deem is appropriate no matter what. And more importantly, the
biggest input to the spec will be what implementations do, not the
other way around.

>> >> * Since scripts don't execute synchronously from within
>> >> createContextualFragment the caller doesn't have to deal with weird
>> >> reentrancy issues during parsing.
>> >
>> > Sure but that means we have to special-case fragments created
>> > by createContexualFragment.  That adds extra complexity to the HTML
>> > fragment
>> > parsing algorithm.
>> I'd prefer to single out scripts only in one API than in multiple ones.
> innerHTML and createContexualFragment both use the HTML fragment parsing
> algorithm.  If you had implemented these features as described in the spec,
> there should be no differences.

Again, a spec for createContexualFragment didn't exist until recently.
And it certainly didn't exist close to a decade ago when it was
invented at Netscape. Same thing for innerHTML when it was invented at

The spec really isn't a source of authority here, reality is. I think
discussions about specs as a source of authority here is a red

> My concern is that treating script elements in a fragment differently based
> on whether the fragment was added by innerHTML or createContextualFragment
> is confusing to the developers.  I would, if I was a developer.

You could also argue that it's confusing that createElement and
XSLTProcessor.transformToFragment creates fragments where scripts do
execute, but createContextualFragment doesn't.

> If
> developers wanted to load a script file, they can explicitly load the file
> and use eval, no?

I'd rather argue that they wouldn't put a <script> in their fragment
if they wanted it to do nothing.

/ Jonas

More information about the whatwg mailing list