Document.parseHTMLUnsafe should create an inert/loaded-as-data document
Categories
(Core :: DOM: Core & HTML, task)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox140 | --- | fixed |
People
(Reporter: tschuster, Assigned: tschuster)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
I think we should always be parsing the HTML for parseHTMLUnsafe (and parseHTML) as "data" aka. "inert" documents. (This means changing the fourth parameter of NS_NewHTMLDocument)
I am mostly basing this on this note in the specification:
Since document does not have a browsing context, scripting is disabled.
https://html.spec.whatwg.org/#dom-parsehtmlunsafe
Furthermore we probably shouldn't be trying to start loading e.g. images, before the Sanitizer has a chance of running?
I currently only did this for the case when sanitizing (bug 1959727), but there really shouldn't be a difference between using a completely permissive sanitizer or no sanitizer at all. Document.parseHTMLUnsafe was added in D193676.
See also bug 1960845, which is related and about parsing <noscript>.
|
Assignee | |
Updated•3 months ago
|
|
|
Assignee | |
Comment 1•3 months ago
|
||
During our Sanitizer meeting Anne said that he thinks these methods should behave like the DOMParser. We create "loadAsData" documents for the DOMParser as well (aLoadedAsData: true). At this point I think this is just an oversight in the initial implementation of Document.parseHTMLUnsafe.
|
|
Assignee | |
Updated•3 months ago
|
|
|
Assignee | |
Updated•3 months ago
|
|
|
Assignee | |
Comment 2•3 months ago
|
||
|
||
Updated•3 months ago
|
|
|
Assignee | |
Comment 3•3 months ago
•
|
||
As you can see from the Matrix #dom channel I have been trying to write a test that would actually show a difference in behavior, but I have failed so far.
|
||
Comment 5•3 months ago
|
||
| bugherder | ||
|
||
Updated•3 months ago
|
Description
•