Skip to content
Permalink
Browse files

[giow] (2) Make policy checks for <script> happen after the flag is s…

…et that prevents the script from being run again, so that if somehow an attacker causes a document to be reinserted somewhere that has scripts enabled, the scripts still won't run.

Fixing http://www.w3.org/Bugs/Public/show_bug.cgi?id=10523

git-svn-id: http://svn.whatwg.org/webapps@5499 340c8d12-0b0e-0410-8428-c7bf67bfef74
  • Loading branch information...
Hixie committed Sep 25, 2010
1 parent a9b31e6 commit 3083b6004f24ed3498671bb30cfffc4fc19890b2
Showing with 78 additions and 57 deletions.
  1. +25 −18 complete.html
  2. +25 −18 index
  3. +28 −21 source
<code><a href=#script>script</a></code> element is to be run, the user agent must act as
follows:</p>

<ol><li id=script-processing-noscript>
<ol><li>

<p>If <a href=#concept-n-noscript title=concept-n-noscript>scripting is
disabled</a> for the <code><a href=#script>script</a></code> element, or if the
<code><a href=#script>script</a></code> element is marked as having <a href=#already-started>"already
started"</a>, then the user agent must abort these steps at
this point. The script is not executed.</p>
<p>If the <code><a href=#script>script</a></code> element is marked as having
<a href=#already-started>"already started"</a>, then the user agent must abort
these steps at this point. The script is not executed.</p>

</li>


</li>

<li id=script-processing-encoding>

<p>If the <code><a href=#script>script</a></code> element has a <code title=attr-script-charset><a href=#attr-script-charset>charset</a></code> attribute, then let
<var><a href="#the-script-block's-character-encoding">the script block's character encoding</a></var> for this
<code><a href=#script>script</a></code> element be the encoding given by the <code title=attr-script-charset><a href=#attr-script-charset>charset</a></code> attribute.</p>

<p>Otherwise, let <var><a href="#the-script-block's-character-encoding">the script block's character encoding</a></var>
for this <code><a href=#script>script</a></code> element be the same as <a href="#document's-character-encoding" title="document's character encoding">the encoding of the document
itself</a>.</p>

</li>

<li id=script-processing-start>

<p>The user agent must set the element's <a href=#already-started>"already

</li>

<li id=script-processing-noscript>

<p>If <a href=#concept-n-noscript title=concept-n-noscript>scripting is
disabled</a> for the <code><a href=#script>script</a></code> element, then the user
agent must abort these steps at this point. The script is not
executed.</p>

</li>

<li id=script-processing-for>

<p>If the <code><a href=#script>script</a></code> element has an <code title=attr-script-event><a href=#attr-script-event>event</a></code> attribute and a <code title=attr-script-for><a href=#attr-script-for>for</a></code> attribute, then run these

</li>

<li id=script-processing-encoding>

<p>If the <code><a href=#script>script</a></code> element has a <code title=attr-script-charset><a href=#attr-script-charset>charset</a></code> attribute, then let
<var><a href="#the-script-block's-character-encoding">the script block's character encoding</a></var> for this
<code><a href=#script>script</a></code> element be the encoding given by the <code title=attr-script-charset><a href=#attr-script-charset>charset</a></code> attribute.</p>

<p>Otherwise, let <var><a href="#the-script-block's-character-encoding">the script block's character encoding</a></var>
for this <code><a href=#script>script</a></code> element be the same as <a href="#document's-character-encoding" title="document's character encoding">the encoding of the document
itself</a>.</p>

</li>

<li id=script-processing-src-prepare>

<p>If the element has a <code title=attr-script-src><a href=#attr-script-src>src</a></code>
43 index
<code><a href=#script>script</a></code> element is to be run, the user agent must act as
follows:</p>

<ol><li id=script-processing-noscript>
<ol><li>

<p>If <a href=#concept-n-noscript title=concept-n-noscript>scripting is
disabled</a> for the <code><a href=#script>script</a></code> element, or if the
<code><a href=#script>script</a></code> element is marked as having <a href=#already-started>"already
started"</a>, then the user agent must abort these steps at
this point. The script is not executed.</p>
<p>If the <code><a href=#script>script</a></code> element is marked as having
<a href=#already-started>"already started"</a>, then the user agent must abort
these steps at this point. The script is not executed.</p>

</li>


</li>

<li id=script-processing-encoding>

<p>If the <code><a href=#script>script</a></code> element has a <code title=attr-script-charset><a href=#attr-script-charset>charset</a></code> attribute, then let
<var><a href="#the-script-block's-character-encoding">the script block's character encoding</a></var> for this
<code><a href=#script>script</a></code> element be the encoding given by the <code title=attr-script-charset><a href=#attr-script-charset>charset</a></code> attribute.</p>

<p>Otherwise, let <var><a href="#the-script-block's-character-encoding">the script block's character encoding</a></var>
for this <code><a href=#script>script</a></code> element be the same as <a href="#document's-character-encoding" title="document's character encoding">the encoding of the document
itself</a>.</p>

</li>

<li id=script-processing-start>

<p>The user agent must set the element's <a href=#already-started>"already

</li>

<li id=script-processing-noscript>

<p>If <a href=#concept-n-noscript title=concept-n-noscript>scripting is
disabled</a> for the <code><a href=#script>script</a></code> element, then the user
agent must abort these steps at this point. The script is not
executed.</p>

</li>

<li id=script-processing-for>

<p>If the <code><a href=#script>script</a></code> element has an <code title=attr-script-event><a href=#attr-script-event>event</a></code> attribute and a <code title=attr-script-for><a href=#attr-script-for>for</a></code> attribute, then run these

</li>

<li id=script-processing-encoding>

<p>If the <code><a href=#script>script</a></code> element has a <code title=attr-script-charset><a href=#attr-script-charset>charset</a></code> attribute, then let
<var><a href="#the-script-block's-character-encoding">the script block's character encoding</a></var> for this
<code><a href=#script>script</a></code> element be the encoding given by the <code title=attr-script-charset><a href=#attr-script-charset>charset</a></code> attribute.</p>

<p>Otherwise, let <var><a href="#the-script-block's-character-encoding">the script block's character encoding</a></var>
for this <code><a href=#script>script</a></code> element be the same as <a href="#document's-character-encoding" title="document's character encoding">the encoding of the document
itself</a>.</p>

</li>

<li id=script-processing-src-prepare>

<p>If the element has a <code title=attr-script-src><a href=#attr-script-src>src</a></code>
49 source

<ol>

<li id="script-processing-noscript">
<li>

<p>If <span title="concept-n-noscript">scripting is
disabled</span> for the <code>script</code> element, or if the
<code>script</code> element is marked as having <span>"already
started"</span>, then the user agent must abort these steps at
this point. The script is not executed.</p>
<p>If the <code>script</code> element is marked as having
<span>"already started"</span>, then the user agent must abort
these steps at this point. The script is not executed.</p>

</li>


</li>

<li id="script-processing-encoding">

<p>If the <code>script</code> element has a <code
title="attr-script-charset">charset</code> attribute, then let
<var>the script block's character encoding</var> for this
<code>script</code> element be the encoding given by the <code
title="attr-script-charset">charset</code> attribute.</p>

<p>Otherwise, let <var>the script block's character encoding</var>
for this <code>script</code> element be the same as <span
title="document's character encoding">the encoding of the document
itself</span>.</p>

</li>

<li id="script-processing-start">

<p>The user agent must set the element's <span>"already

</li>

<li id="script-processing-noscript">

<p>If <span title="concept-n-noscript">scripting is
disabled</span> for the <code>script</code> element, then the user
agent must abort these steps at this point. The script is not
executed.</p>

</li>

<li id="script-processing-for">

<p>If the <code>script</code> element has an <code

</li>

<li id="script-processing-encoding">

<p>If the <code>script</code> element has a <code
title="attr-script-charset">charset</code> attribute, then let
<var>the script block's character encoding</var> for this
<code>script</code> element be the encoding given by the <code
title="attr-script-charset">charset</code> attribute.</p>

<p>Otherwise, let <var>the script block's character encoding</var>
for this <code>script</code> element be the same as <span
title="document's character encoding">the encoding of the document
itself</span>.</p>

</li>

<li id="script-processing-src-prepare">

<p>If the element has a <code title="attr-script-src">src</code>

0 comments on commit 3083b60

Please sign in to comment.
You can’t perform that action at this time.