Re: [jsr-314-open] JSF 2.1 ajax spec enhancements - runscripts/applystyles
no, these aren't attributes. If XHTML that comes in via xhr
contains scripts these *always* need to be executed and
styles need to be *always* applied. Some browsers in
combination with some replacement methods already do this
for us, some don't, so we need to take action.
I cannot see the security hole with this as some browsers
actually do it. Can you make up a setup that illustrates
the hole?
Best regards,
Ganesh
There are also 2 functional clarifications I want to propose.
Mojarra and MyFaces partly differ in this, so I think we need to
clarify.
Sorry, I'm confused. Are runscripts and applystyles f:ajax tag
attributes? If so, do the attributes affect only the Ajax request that
f:ajax fires, or is it an app-wide setting for all Ajax requests?
runscripts: If a piece of XHTML comes in via xhr and contains
<script> tags the ajax engine should automatically trigger execution of
these scripts. This is important if you want to replace a js function
or if the scripts somehow initialize UI elements. It depends on a
combination of the js replacement code
(innerHTML/adjacentHTML/contextualFragment/...) and the browser
platform whether the browsers automatically run these scripts,
IE mostly doesn't run them FF mostly does so. The ajax engine should
know whether the browser does automatically run the scripts and if it
doesn't they should be triggered via js.
I understand the desire for this, but this opens a pretty big security
hole, doesn't it? Do we need to do anything about that?