You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I hope my post is in the right place, if not I would like to apologise.
The problem
I have a suggestion about DOM parsing which requires a specification change or extension.
The problem has already been mentioned here in two issues, one Issue 6 and the other Issue 19.
In short, in both cases the question arises as to how script blocks should be handled when they are appended to the DOM. My proposal also relates primarily to script blocks. W3c Spec innerHTML under this link it is described that script blocks appended with .innerHTML are not executed. However, there may be cases in which it makes sense to execute the scripts.
Proposed solution
By assigning a value to .innerHTML, executing the script blocks would probably be too great a security risk.
However, an additional parameter could be added to the insertAdjacentHTML method with which the scripts can be executed.
By default, script_exec is false so that nothing changes for the caller of the function. (i.e. even existing ones continue to work without a negative effect)
For example:
...
.insertAdjacentHTML("beforebegin",htmlstr)...
However, if the caller now not only wants to add the <script>-blocks but also execute them, he must explicitly set the parameter to true.
I hope my post is in the right place, if not I would like to apologise.
The problem
I have a suggestion about DOM parsing which requires a specification change or extension.
The problem has already been mentioned here in two issues, one Issue 6 and the other Issue 19.
In short, in both cases the question arises as to how script blocks should be handled when they are appended to the DOM. My proposal also relates primarily to script blocks.
W3c Spec innerHTML under this link it is described that script blocks appended with .innerHTML are not executed. However, there may be cases in which it makes sense to execute the scripts.
Proposed solution
By assigning a value to .innerHTML, executing the script blocks would probably be too great a security risk.
However, an additional parameter could be added to the insertAdjacentHTML method with which the scripts can be executed.
For example:
Implementation idea
By default, script_exec is false so that nothing changes for the caller of the function. (i.e. even existing ones continue to work without a negative effect)
For example:
However, if the caller now not only wants to add the <script>-blocks but also execute them, he must explicitly set the parameter to true.
For example:
If my idea is in the wrong place here, I would like to apologise again and ask where I could best post it.
The text was updated successfully, but these errors were encountered: