<br><br><div class="gmail_quote">On Tue, Jan 19, 2010 at 7:13 PM, Jim Driscoll <span dir="ltr"><<a href="mailto:Jim.Driscoll@sun.com">Jim.Driscoll@sun.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Ganesh -<br>
<br>
As far as I know, the runscripts behavior is the same between MyFaces and Mojarra - what's the difference that you are speaking of? Werner and I collaborated a bit during beta to make sure they were the same...<br>
<br>
Thus, I'm confused by your contention in the bug:<br>
<br>
<a href="https://javaserverfaces-spec-public.dev.java.net/issues/show_bugcgi?id=724" target="_blank">https://javaserverfaces-spec-public.dev.java.net/issues/show_bug.cgi?id=724</a><br>
<br>
That:<br>
<br>
MyFaces 2.0 does execute script, Mojarra doesn't, spec needs to clarify for<br>
unification<br>
<br>
Agree that this needs to be in the spec. It's omission was an oversight.<br>
<br>
As for applying styles:<br>
<br>
The <style> tag is only valid in the <head> - and we do not apply stuff in the head right now - mostly because there are just so very many bugs when doing so.<br>
</blockquote><div>Actually the head changing is not really possible afair as I can remember our discussions and my testing on many browsers. So far only some IE versions and Mozilla do some degree under some conditions allow that.</div>
<div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
So, this may be surfacing a more major lack in the spec than just styles.<br><font color="#888888">
<br>
Jim</font><div><div></div><div class="h5"><br>
<br>
On 12/22/09 12:26 PM, Ganesh wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
no, these aren't attributes. If XHTML that comes in via xhr<br>
contains scripts these *always* need to be executed and<br>
styles need to be *always* applied. Some browsers in combination with<br>
some replacement methods already do this for us, some don't, so we need<br>
to take action.<br>
<br>
I cannot see the security hole with this as some browsers<br>
actually do it. Can you make up a setup that illustrates<br>
the hole?<br>
<br>
Best regards,<br>
Ganesh<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
There are also 2 functional clarifications I want to propose.<br>
Mojarra and MyFaces partly differ in this, so I think we need to<br>
clarify.<br>
<br>
<br>
Sorry, I'm confused. Are runscripts and applystyles f:ajax tag<br>
attributes? If so, do the attributes affect only the Ajax request that<br>
f:ajax fires, or is it an app-wide setting for all Ajax requests?<br>
<br>
runscripts: If a piece of XHTML comes in via xhr and contains<br>
<script> tags the ajax engine should automatically trigger execution of<br>
these scripts. This is important if you want to replace a js function<br>
or if the scripts somehow initialize UI elements. It depends on a<br>
combination of the js replacement code<br>
(innerHTML/adjacentHTML/contextualFragment/...) and the browser<br>
platform whether the browsers automatically run these scripts,<br>
IE mostly doesn't run them FF mostly does so. The ajax engine should<br>
know whether the browser does automatically run the scripts and if it<br>
doesn't they should be triggered via js.<br>
<br>
<br>
I understand the desire for this, but this opens a pretty big security<br>
hole, doesn't it? Do we need to do anything about that?<br>
<br>
</blockquote>
<br>
</blockquote>
</div></div></blockquote></div><br>