From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:0.9.4+) Gecko/20010919 BuildID: 2001091903 Content-Script-Type does not set the defualt scripting language, as specified in HTML 4. Since VBScipt is unsupported in Mozilla the OnClick event in the following example should be ignored in accordance with the HTML 4.01 Specification chapter 18.2.2. Reproducible: Always Steps to Reproduce: 1. Copy Example into new HTML Document. 2. Open new Document in Mozilla. 3. Click on SPAN tag. Actual Results: Mozilla jumps to Mozilla.org. Expected Results: Mozilla should ignore the OnClick event because the default scripting language is not supported. <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html/loose.dtd"> <HTML lang="en-US"> <HEAD> <TITLE>Test 1</TITLE> <META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <META http-equiv="Content-Script-Type" content="text/vbscript"> </HEAD> <BODY> <SPAN onclick='location.href="http://www.mozilla.org"'>Go to Mozilla.org</A> </BODY> </HTML>
Reporter: do you have access to a webserver that sends the real Content-Script-Type HTTP header? Does that work?
With my personal webserver I added 'Content-Script-Type: text/vbscript' to the headers and sent it Mozilla, the result was the same as with the META tag, the scripting was not ignored.
Even if the real Content-Script-Type HTTP header did work, the HTML 4.01 Specification states the Content-Script-Type META element takes precedence over the HTTP header; hence, by only supporting the header, Mozilla would still be in violation of the standard. Also, the similar Content-Style-Type META element for setting the default styling languages does work.
Yuck. It doesn't look like this was ever implemented, except for a mention in nsHTMLAtomList.h. Tenatively sending this to DOM Core; whoever receives it, please reassign promptly if it isn't yours, this is a rather serious issue.
Bugs targeted at mozilla1.0 without the mozilla1.0 keyword moved to mozilla1.0.1 (you can query for this string to delete spam or retrieve the list of bugs I've moved)
Need more info for this one. Is it widely used? Are there any real-world sites affected by this? Given that the fix is quite involved (from what I saw in LXR), putting P4 and severity to normal. If you disagree please speak up and we will reconsider.
This isn't used much yet; however it is in the HTML 4 standard, hence it is a major omission.
reference from the spec http://www.w3.org/TR/html401/interact/scripts.html#h-18.2.2 I think I have a patch for this.
Created attachment 109128 [details] [diff] [review] proof-of-concept patch This really shouldnt be all that difficult. Something like the above patch should work. Right? Or am I missing something?
Comment on attachment 109128 [details] [diff] [review] proof-of-concept patch jst, can you please look at this and let me know if this makes sense at all.
Comment on attachment 109128 [details] [diff] [review] proof-of-concept patch This has some more issues. Removing review request.
Mass-reassigning bugs to firstname.lastname@example.org
Brendan: We probably want to implement this for being able to use E4X in event handler attributes.
HTML5 doesn't allow placing Content-Script-Type in the header.
Then how is the script language determined in the example?