Closed
Bug 1397822
Opened 7 years ago
Closed 4 years ago
<script type> / <style type> need to be much stricter
Categories
(Core :: DOM: Core & HTML, enhancement, P3)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: annevk, Unassigned)
References
Details
Instead we appear to parse the value as a MIME type and then do some kind of matching, but that's not allowed per HTML's processing model: https://html.spec.whatwg.org/#prepare-a-script Trivial test: data:text/html,<script type=text/javascript;>alert("You failed this test")</script> We might tighten up some of the prose a bit further in this HTML Standard issue and maybe also work on some web-platform-tests if there aren't any (unless whoever fixes this bug is first): https://github.com/whatwg/html/issues/3022
|
||
Updated•7 years ago
|
Priority: -- → P3
|
Reporter | |
Comment 1•7 years ago
|
||
We should fix <style type> at the same time. New web-platform-tests: https://github.com/w3c/web-platform-tests/pull/7344
Summary: <script type> needs to perform a case-insensitive match for a JavaScript MIME type → <script type> / <style type> need to be much stricter
|
Assignee | |
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
|
||
Comment 3•4 years ago
|
||
I think <script> was similarly fixed by bug 1428745. The test in comment 0 at least doesn't reproduce.
Depends on: 1428745
|
|
Reporter | |
Comment 4•4 years ago
|
||
Thanks j.j. and Tom!
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•