On Thu, Jul 31, 2014 at 03:27:18AM -0400, Karl Dahlke wrote: > > So they are overloading the <script> tag? > > I think they have done so almost from the begining.
Yeah probably. The developper of the syntax highlighter software even says not to use this method in environments (like blog posts which may be converted to rss etc) where the script tags may be stripped out. The reason they're doing it is due to the fact that whatever's in the script tag doesn't require html escaping. > > Is edbrowse also trying to execute things that it should not > > I don't believe so. > If the language attribute is given I require it to say javascript. > <script language=javascript> > If no language attribute is given I assume javascript, > which is what the documentation says to do. > It's possible that I should also be checking the type attribute. Yes we should if it exists. However, even though edbrowse is registering these tags as containing javascript, when using the syntax highlighter in this mode one uses a CDATA section to surround the data, and thus I think edbrowse isn't parsing the contents of these tags. Cheers, Adam.
signature.asc
Description: Digital signature
_______________________________________________ Edbrowse-dev mailing list [email protected] http://lists.the-brannons.com/mailman/listinfo/edbrowse-dev
