Re: [jsr-314-open] JSF 2.1 ajax spec enhancements - runscripts/applystyles

Ganesh - As far as I know, the runscripts behavior is the same between MyFaces and Mojarra - what's the difference that you are speaking of? Werner and I collaborated a bit during beta to make sure they were the same... Thus, I'm confused by your contention in the bug: https://javaserverfaces-spec-public.dev.java.net/issues/show_bug.cgi?id=724 That: MyFaces 2.0 does execute script, Mojarra doesn't, spec needs to clarify for unification Agree that this needs to be in the spec. It's omission was an oversight. As for applying styles: The <style> tag is only valid in the <head> - and we do not apply stuff in the head right now - mostly because there are just so very many bugs when doing so.

So, this may be surfacing a more major lack in the spec than just styles. Jim On 12/22/09 12:26 PM, Ganesh wrote: > no, these aren't attributes. If XHTML that comes in via xhr > contains scripts these *always* need to be executed and > styles need to be *always* applied. Some browsers in combination with > some replacement methods already do this for us, some don't, so we need > to take action. > > I cannot see the security hole with this as some browsers > actually do it. Can you make up a setup that illustrates > the hole? > > Best regards, > Ganesh > >> There are also 2 functional clarifications I want to propose. >> Mojarra and MyFaces partly differ in this, so I think we need to >> clarify. >> >> >> Sorry, I'm confused. Are runscripts and applystyles f:ajax tag >> attributes? If so, do the attributes affect only the Ajax request that >> f:ajax fires, or is it an app-wide setting for all Ajax requests? >> >> runscripts: If a piece of XHTML comes in via xhr and contains >> <script> tags the ajax engine should automatically trigger execution of >> these scripts. This is important if you want to replace a js function >> or if the scripts somehow initialize UI elements. It depends on a >> combination of the js replacement code >> (innerHTML/adjacentHTML/contextualFragment/...) and the browser >> platform whether the browsers automatically run these scripts, >> IE mostly doesn't run them FF mostly does so. The ajax engine should >> know whether the browser does automatically run the scripts and if it >> doesn't they should be triggered via js. >> >> >> I understand the desire for this, but this opens a pretty big security >> hole, doesn't it? Do we need to do anything about that? >> >> >