Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
[e] (0) xrefs for DOM Parsing
Fixing http://www.w3.org/Bugs/Public/show_bug.cgi?id=14151

git-svn-id: http://svn.whatwg.org/webapps@6708 340c8d12-0b0e-0410-8428-c7bf67bfef74
  • Loading branch information
Hixie committed Oct 19, 2011
1 parent f2ea913 commit 12fb592
Show file tree
Hide file tree
Showing 3 changed files with 64 additions and 41 deletions.
39 changes: 23 additions & 16 deletions complete.html
Expand Up @@ -3888,7 +3888,17 @@ <h4 id=dependencies><span class=secno>2.2.2 </span>Dependencies</h4>

<li><dfn id=event-click title=event-click><code>click</code></dfn> event</li>

</ul><!--
</ul><p>In addition, user agents must implement the features defined in
the DOM Range, DOM Parsing and Serialization specification, HTML
Editing APIs, and UndoManager and DOM Transaction specifications
that apply to their conformance class.
<a href=#refsDOMRANGE>[DOMRANGE]</a>
<a href=#refsDOMPARSING>[DOMPARSING]</a>
<a href=#refsEDITING>[EDITING]</a>
<a href=#refsUNDO>[UNDO]</a>
</p>

<!--
<p>The following features are defined in the DOM
Range specification: <a href="#refsDOMRANGE">[DOMRANGE]</a></p>

Expand All @@ -3908,17 +3918,14 @@ <h4 id=dependencies><span class=secno>2.2.2 </span>Dependencies</h4>
<li><dfn title="dom-Range-startOffset"><code>startOffset</code></dfn> attribute </li>

</ul>
--><p>In addition, user agents must implement the features defined in
the DOM Range, DOM Parsing and Serialization, HTML Editing APIs,
and UndoManager and DOM Transaction specifications that apply to
their conformance class.
<a href=#refsDOMRANGE>[DOMRANGE]</a>
<a href=#refsDOMPARSING>[DOMPARSING]</a>
<a href=#refsEDITING>[EDITING]</a>
<a href=#refsUNDO>[UNDO]</a>
</p>
-->

</dd>
<p>The following features are defined in the DOM Parsing and
Serialization specification: <a href=#refsDOMPARSING>[DOMPARSING]</a></p>

<ul class=brief><li><dfn id=dom-innerhtml title=dom-innerHTML>innerHTML</dfn></li>
<li><dfn id=dom-outerhtml title=dom-outerHTML>outerHTML</dfn></li>
</ul></dd>

<dt>File API</dt>

Expand Down Expand Up @@ -16121,7 +16128,7 @@ <h4 id=the-script-element><span class=secno>4.3.1 </span>The <dfn id=script><cod

<p class=note>When inserted using the <code title=dom-document-write><a href=#dom-document-write>document.write()</a></code> method,
<code><a href=#the-script-element>script</a></code> elements execute (typically synchronously), but
when inserted using <code title=dom-innerHTML>innerHTML</code> and <code title=dom-outerHTML>outerHTML</code> attributes, they do not
when inserted using <code title=dom-innerHTML><a href=#dom-innerhtml>innerHTML</a></code> and <code title=dom-outerHTML><a href=#dom-outerhtml>outerHTML</a></code> attributes, they do not
execute at all.</p>

<div class=example>
Expand Down Expand Up @@ -16501,7 +16508,7 @@ <h4 id=the-noscript-element><span class=secno>4.3.2 </span>The <dfn><code>noscri
<a href=#text-node>text node</a> children of the <code><a href=#the-noscript-element>noscript</a></code>
element.</li>

<li>Set the <code title=dom-innerHTML>innerHTML</code>
<li>Set the <code title=dom-innerHTML><a href=#dom-innerhtml>innerHTML</a></code>
attribute of the <var title="">parent element</var> to the value
of <var title="">s</var>. (This, as a side-effect, causes the
<code><a href=#the-noscript-element>noscript</a></code> element to be removed from the
Expand Down Expand Up @@ -51313,7 +51320,7 @@ <h4 id=association-of-controls-and-forms><span class=secno>4.10.18 </span>Associ
outer form "a".</p>

<p>This happens as follows: First, the "e" node gets associated
with "c" in the <a href=#html-parser>HTML parser</a>. Then, the <code title=dom-innerHTML>innerHTML</code> algorithm moves the nodes
with "c" in the <a href=#html-parser>HTML parser</a>. Then, the <code title=dom-innerHTML><a href=#dom-innerhtml>innerHTML</a></code> algorithm moves the nodes
from the temporary document to the "b" element. At this point, the
nodes see their ancestor chain change, and thus all the "magic"
associations done by the parser are reset to normal ancestor
Expand Down Expand Up @@ -92040,11 +92047,11 @@ <h3 id=serializing-html-fragments><span class=secno>13.3 </span>Serializing HTML
<p>This can enable cross-site scripting attacks. An example of this
would be a page that lets the user enter some font names that are
then inserted into a CSS <code><a href=#the-style-element>style</a></code> block via the DOM and
which then uses the <code title=dom-innerHTML>innerHTML</code>
which then uses the <code title=dom-innerHTML><a href=#dom-innerhtml>innerHTML</a></code>
IDL attribute to get the HTML serialization of that
<code><a href=#the-style-element>style</a></code> element: if the user enters
"<code>&lt;/style&gt;&lt;script&gt;attack&lt;/script&gt;</code>" as a font
name, <code title=dom-innerHTML>innerHTML</code> will return
name, <code title=dom-innerHTML><a href=#dom-innerhtml>innerHTML</a></code> will return
markup that, if parsed in a different context, would contain a
<code><a href=#the-script-element>script</a></code> node, even though no <code><a href=#the-script-element>script</a></code> node
existed in the original DOM.</p>
Expand Down
39 changes: 23 additions & 16 deletions index
Expand Up @@ -3888,7 +3888,17 @@ a.setAttribute('href', 'http://example.com/'); // change the content attribute d

<li><dfn id=event-click title=event-click><code>click</code></dfn> event</li>

</ul><!--
</ul><p>In addition, user agents must implement the features defined in
the DOM Range, DOM Parsing and Serialization specification, HTML
Editing APIs, and UndoManager and DOM Transaction specifications
that apply to their conformance class.
<a href=#refsDOMRANGE>[DOMRANGE]</a>
<a href=#refsDOMPARSING>[DOMPARSING]</a>
<a href=#refsEDITING>[EDITING]</a>
<a href=#refsUNDO>[UNDO]</a>
</p>

<!--
<p>The following features are defined in the DOM
Range specification: <a href="#refsDOMRANGE">[DOMRANGE]</a></p>

Expand All @@ -3908,17 +3918,14 @@ a.setAttribute('href', 'http://example.com/'); // change the content attribute d
<li><dfn title="dom-Range-startOffset"><code>startOffset</code></dfn> attribute </li>

</ul>
--><p>In addition, user agents must implement the features defined in
the DOM Range, DOM Parsing and Serialization, HTML Editing APIs,
and UndoManager and DOM Transaction specifications that apply to
their conformance class.
<a href=#refsDOMRANGE>[DOMRANGE]</a>
<a href=#refsDOMPARSING>[DOMPARSING]</a>
<a href=#refsEDITING>[EDITING]</a>
<a href=#refsUNDO>[UNDO]</a>
</p>
-->

</dd>
<p>The following features are defined in the DOM Parsing and
Serialization specification: <a href=#refsDOMPARSING>[DOMPARSING]</a></p>

<ul class=brief><li><dfn id=dom-innerhtml title=dom-innerHTML>innerHTML</dfn></li>
<li><dfn id=dom-outerhtml title=dom-outerHTML>outerHTML</dfn></li>
</ul></dd>

<dt>File API</dt>

Expand Down Expand Up @@ -16121,7 +16128,7 @@ c-end = "--&gt;"</pre>

<p class=note>When inserted using the <code title=dom-document-write><a href=#dom-document-write>document.write()</a></code> method,
<code><a href=#the-script-element>script</a></code> elements execute (typically synchronously), but
when inserted using <code title=dom-innerHTML>innerHTML</code> and <code title=dom-outerHTML>outerHTML</code> attributes, they do not
when inserted using <code title=dom-innerHTML><a href=#dom-innerhtml>innerHTML</a></code> and <code title=dom-outerHTML><a href=#dom-outerhtml>outerHTML</a></code> attributes, they do not
execute at all.</p>

<div class=example>
Expand Down Expand Up @@ -16501,7 +16508,7 @@ not-slash = %x0000-002E / %x0030-10FFFF
<a href=#text-node>text node</a> children of the <code><a href=#the-noscript-element>noscript</a></code>
element.</li>

<li>Set the <code title=dom-innerHTML>innerHTML</code>
<li>Set the <code title=dom-innerHTML><a href=#dom-innerhtml>innerHTML</a></code>
attribute of the <var title="">parent element</var> to the value
of <var title="">s</var>. (This, as a side-effect, causes the
<code><a href=#the-noscript-element>noscript</a></code> element to be removed from the
Expand Down Expand Up @@ -51313,7 +51320,7 @@ out of 233&thinsp;257&thinsp;824 bytes available&lt;/meter&gt;&lt;/p&gt;</pre>
outer form "a".</p>

<p>This happens as follows: First, the "e" node gets associated
with "c" in the <a href=#html-parser>HTML parser</a>. Then, the <code title=dom-innerHTML>innerHTML</code> algorithm moves the nodes
with "c" in the <a href=#html-parser>HTML parser</a>. Then, the <code title=dom-innerHTML><a href=#dom-innerhtml>innerHTML</a></code> algorithm moves the nodes
from the temporary document to the "b" element. At this point, the
nodes see their ancestor chain change, and thus all the "magic"
associations done by the parser are reset to normal ancestor
Expand Down Expand Up @@ -92040,11 +92047,11 @@ document.body.appendChild(text);
<p>This can enable cross-site scripting attacks. An example of this
would be a page that lets the user enter some font names that are
then inserted into a CSS <code><a href=#the-style-element>style</a></code> block via the DOM and
which then uses the <code title=dom-innerHTML>innerHTML</code>
which then uses the <code title=dom-innerHTML><a href=#dom-innerhtml>innerHTML</a></code>
IDL attribute to get the HTML serialization of that
<code><a href=#the-style-element>style</a></code> element: if the user enters
"<code>&lt;/style&gt;&lt;script&gt;attack&lt;/script&gt;</code>" as a font
name, <code title=dom-innerHTML>innerHTML</code> will return
name, <code title=dom-innerHTML><a href=#dom-innerhtml>innerHTML</a></code> will return
markup that, if parsed in a different context, would contain a
<code><a href=#the-script-element>script</a></code> node, even though no <code><a href=#the-script-element>script</a></code> node
existed in the original DOM.</p>
Expand Down
27 changes: 18 additions & 9 deletions source
Expand Up @@ -2814,6 +2814,16 @@ a.setAttribute('href', 'http://example.com/'); // change the content attribute d

</ul>

<p>In addition, user agents must implement the features defined in
the DOM Range, DOM Parsing and Serialization specification, HTML
Editing APIs, and UndoManager and DOM Transaction specifications
that apply to their conformance class.
<a href="#refsDOMRANGE">[DOMRANGE]</a>
<a href="#refsDOMPARSING">[DOMPARSING]</a>
<a href="#refsEDITING">[EDITING]</a>
<a href="#refsUNDO">[UNDO]</a>
</p>

<!--END w3c-html--><!--
<p>The following features are defined in the DOM
Range specification: <a href="#refsDOMRANGE">[DOMRANGE]</a></p>
Expand All @@ -2836,15 +2846,14 @@ a.setAttribute('href', 'http://example.com/'); // change the content attribute d
</ul>
--><!--START w3c-html-->

<p>In addition, user agents must implement the features defined in
the DOM Range, DOM Parsing and Serialization, HTML Editing APIs,
and UndoManager and DOM Transaction specifications that apply to
their conformance class.
<a href="#refsDOMRANGE">[DOMRANGE]</a>
<a href="#refsDOMPARSING">[DOMPARSING]</a>
<a href="#refsEDITING">[EDITING]</a>
<a href="#refsUNDO">[UNDO]</a>
</p>
<p>The following features are defined in the DOM Parsing and
Serialization specification: <a
href="#refsDOMPARSING">[DOMPARSING]</a></p>

<ul class="brief">
<li><dfn title="dom-innerHTML">innerHTML</dfn></li>
<li><dfn title="dom-outerHTML">outerHTML</dfn></li>
</ul>

</dd>

Expand Down

0 comments on commit 12fb592

Please sign in to comment.