On Thu, 21 Aug 2008 23:54:44 +0200, Jonas Sicking <[EMAIL PROTECTED]> wrote:
Here is the list of elements that we *don't* execute scripts inside of
in firefox:
http://mxr.mozilla.org/mozilla-central/source/content/base/src/nsScriptElement.cpp#148
i.e. <iframe>, <noframes>, <noembed>
Everywhere else we do execute the script.
The reason these elements ended up at the list is in bugs
https://bugzilla.mozilla.org/show_bug.cgi?id=5847
https://bugzilla.mozilla.org/show_bug.cgi?id=26669
iframe, noframes and noembed are parsed as CDATA elements
http://software.hixie.ch/utilities/js/live-dom-viewer/?%3C!DOCTYPE%20html%3E%0D%0A%3Ciframe%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E%3C%2Fiframe%3E
so there can't be any script elements as children of those in text/html.
In Opera and WebKit, the script executes in
data:text/xml,<iframe
xmlns='http://www.w3.org/1999/xhtml'><script>alert(1)</script></iframe>
and it hasn't caused us any problems AFAIK.
--
Simon Pieters
Opera Software
