On Tue, Jan 19, 2010 at 7:13 PM, Jim Driscoll <Jim.Driscoll@sun.com> wrote:
Ganesh -

As far as I know, the runscripts behavior is the same between MyFaces and Mojarra - what's the difference that you are speaking of?  Werner and I collaborated a bit during beta to make sure they were the same...

Thus, I'm confused by your contention in the bug:

https://javaserverfaces-spec-public.dev.java.net/issues/show_bug.cgi?id=724

That:

MyFaces 2.0 does execute script, Mojarra doesn't, spec needs to clarify for
unification

Agree that this needs to be in the spec.  It's omission was an oversight.

As for applying styles:

The <style> tag is only valid in the <head> - and we do not apply stuff in the head right now - mostly because there are just so very many bugs when doing so.
 
Actually the head changing is not really possible afair as I can remember our discussions and my testing on many browsers. So far only some IE versions and Mozilla do some degree under some conditions allow that.

 
So, this may be surfacing a more major lack in the spec than just styles.

Jim


On 12/22/09 12:26 PM, Ganesh wrote:
no, these aren't attributes. If XHTML that comes in via xhr
contains scripts these *always* need to be executed and
styles need to be *always* applied. Some browsers in combination with
some replacement methods already do this for us, some don't, so we need
to take action.

I cannot see the security hole with this as some browsers
actually do it. Can you make up a setup that illustrates
the hole?

Best regards,
Ganesh
There are also 2 functional clarifications I want to propose.
Mojarra and MyFaces partly differ in this, so I think we need to
clarify.


Sorry, I'm confused. Are runscripts and applystyles f:ajax tag
attributes? If so, do the attributes affect only the Ajax request that
f:ajax fires, or is it an app-wide setting for all Ajax requests?

runscripts: If a piece of XHTML comes in via xhr and contains
<script> tags the ajax engine should automatically trigger execution of
these scripts. This is important if you want to replace a js function
or if the scripts somehow initialize UI elements. It depends on a
combination of the js replacement code
(innerHTML/adjacentHTML/contextualFragment/...) and the browser
platform whether the browsers automatically run these scripts,
IE mostly doesn't run them FF mostly does so. The ajax engine should
know whether the browser does automatically run the scripts and if it
doesn't they should be triggered via js.


I understand the desire for this, but this opens a pretty big security
hole, doesn't it? Do we need to do anything about that?