14 Jun
2010
14 Jun
'10
11:26 a.m.
Marius Dumitru Florea wrote:
Hi Caleb,
On 06/13/2010 10:31 PM, Caleb James DeLisle wrote:
Good point. There are situations where it's unreasonably hard to comply with a best
practice.
My Invitation preview code contains style information in style attributes the code.
That is because the email content contains style information and to remove it would make
it not a true preview.
In such cases I think we just need to acknowledge that best practices don't fit every
single situation.
If there were an XSS filter, the filter would have to understand an HTML comment in the
head which told it that
the page was to be treated differently.
I don't think that we should avoid codifying this just because some use cases are
unable to comply.
Caleb
I would like to see a (written) best practice of
putting all javascript content into the head of the
XHTML document.
Reason 1:
Moving all script into the head makes it easier to find and makes impossible bad (and
often non WCAG
compliant) practices such as attaching script to xml attributes.
It makes it less of a jungle.
Reason 2:
If we have no script in the body of any documents then users can implement filters which
remove any
script after the</head> tag. This would make script injection certifiably
impossible.
WDYT?
Let's say I have a JavaScript component that is configurable and has
lots of parameters. I'm including the code of this component using a
script tag in the head but I want to invoke it multiple times with
different parameters inside the body tag. The parameters of each
instance depend on content that was previously generated in the document
body. How would you do that without using script tags inside the body?
Thanks,
Marius
Caleb
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs