[prev in list] [next in list] [prev in thread] [next in thread]
List: whatwg
Subject: Re: [whatwg] Script parsing mode within SVG sections in HTML documents
From: Ian Hickson <ian () hixie ! ch>
Date: 2015-06-22 0:01:04
Message-ID: alpine.DEB.2.00.1506212358190.30233 () ps20323 ! dreamhostps ! com
[Download RAW message or body]
On Sun, 21 Jun 2015, Niels Keurentjes wrote:
>
> I ran into a discussion on Stack Overflow in this topic:
> http://stackoverflow.com/q/30952737/1729885, regarding embedding the
> following code snippet in an HTML document:
>
> <svg><script>alert(1)</script></svg>
>
> The character references translate to "alert(1)". I have confirmed that,
> in all the latest versions of IE, Chrome and Firefox, this code is
> executed, whilst it is not if the <svg> container is omitted. I neither
> think this is intentional nor wanted behavior, as HTML5 explicitly
> defines a separate script parsing mode which handles character
> references as plain text.
It's not great, but it is intentional. Within <svg> and <math> blocks, we
use the "foreign content" parsing mode wherein parsing is much more
similar to legacy XML parsing than legacy HTML parsing:
https://html.spec.whatwg.org/#parsing-main-inforeign
Note in particular that the special behaviour for <script> here doesn't
include changing the tokeniser mode, like it would in non-foreign content.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic