Ability to configure whether script elements should execute for setHTMLUnsafe() #10090
Labels
addition/proposal
New features or enhancements
needs implementer interest
Moving the issue forward requires implementers to express interest
topic: parser
topic: script
Comments
zcorpan
added
addition/proposal
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
and others
What is the issue with the HTML Standard?
Currently
innerHTMLandinsertContextualFragment()will not executescriptelements because:https://html.spec.whatwg.org/#script-processing-model:already-started-4 sets "already started" to true when the element is inserted into the temporary document during fragment parsing, and step 17 returns because scripting is disabled for that document. Then when the elements are inserted into the right place, "already started" is still true and https://html.spec.whatwg.org/#script-processing-model:already-started-3 returns.
Range.createContextualFragment()unsets the "already started" flag and therefore runs scripts: https://w3c.github.io/DOM-Parsing/#dom-range-createcontextualfragment (step 4).In a previous meeting for Sanitizer API, we discussed this for
setHTMLUnsafe()and the group's general agreement was that we should align withinnerHTMLby default but in the future we can allow a config to makescriptelements execute.(This was originally filed at WICG/sanitizer-api#195 )
cc @whatwg/html-parser @mozfreddyb
The text was updated successfully, but these errors were encountered: