Ability to configure whether script elements should execute for setHTMLUnsafe() #10090
Labels
addition/proposal
New features or enhancements
needs implementer interest
Moving the issue forward requires implementers to express interest
topic: parser
topic: script
What is the issue with the HTML Standard?
Currently
innerHTML
andinsertContextualFragment()
will not executescript
elements because:https://html.spec.whatwg.org/#script-processing-model:already-started-4 sets "already started" to true when the element is inserted into the temporary document during fragment parsing, and step 17 returns because scripting is disabled for that document. Then when the elements are inserted into the right place, "already started" is still true and https://html.spec.whatwg.org/#script-processing-model:already-started-3 returns.
Range.createContextualFragment()
unsets the "already started" flag and therefore runs scripts: https://w3c.github.io/DOM-Parsing/#dom-range-createcontextualfragment (step 4).In a previous meeting for Sanitizer API, we discussed this for
setHTMLUnsafe()
and the group's general agreement was that we should align withinnerHTML
by default but in the future we can allow a config to makescript
elements execute.(This was originally filed at WICG/sanitizer-api#195 )
cc @whatwg/html-parser @mozfreddyb
The text was updated successfully, but these errors were encountered: