[Webkit-unassigned] [Bug 12234] Using createContextualFragment to insert a <script> does not cause the script to execute
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Nov 29 17:05:31 PST 2010
https://bugs.webkit.org/show_bug.cgi?id=12234
--- Comment #12 from Ryosuke Niwa <rniwa at webkit.org> 2010-11-29 17:05:31 PST ---
(In reply to comment #11)
> rniwa, thanks for being sensitive to creating XSS vulnerabilities. However, in this case, we're not opening up a new vulnerability. The attacker can already use other syntactic constructs to execute script, similar to how the attacker can run script via innerHTML even though innerHTML doesn't execute <script> tags.
Ok. Then we probably should fix this bug to be compatible with Firefox. Special-casing fragment parsing first seemed strange weird but a number of developers pointed out that the fragment created by createContextualFragment is no different from a fragment created by manually assembling nodes. And because the script element manually inserted into a fragment runs when the fragment is inserted into a document, we should also run the script parsed by createContextualFragment when the fragment is inserted into a document.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list