[jsr-314-open] JSF 2.1 ajax spec enhancements - runscripts/applystyles

[Ganesh]

no, these aren't attributes. If XHTML that comes in via xhr
contains scripts these *always* need to be executed and
styles need to be *always* applied. Some browsers in 
combination with some replacement methods already do this 
for us, some don't, so we need to take action.

I cannot see the security hole with this as some browsers
actually do it. Can you make up a setup that illustrates
the hole?

Best regards,
Ganesh 

>     There are also 2 functional clarifications I want to propose.
>     Mojarra and MyFaces partly differ in this, so I think we need to
>     clarify.
> 
> 
> Sorry, I'm confused. Are runscripts and applystyles f:ajax tag 
> attributes? If so, do the attributes affect only the Ajax request that 
> f:ajax fires, or is it an app-wide setting for all Ajax requests?
> 
>     runscripts: If a piece of XHTML comes in via xhr and contains
>     <script> tags the ajax engine should automatically trigger execution of
>     these scripts. This is important if you want to replace a js function
>     or if the scripts somehow initialize UI elements. It depends on a
>     combination of the js replacement code
>     (innerHTML/adjacentHTML/contextualFragment/...) and the browser
>     platform whether the browsers automatically run these scripts,
>     IE mostly doesn't run them FF mostly does so. The ajax engine should
>     know whether the browser does automatically run the scripts and if it
>     doesn't they should be triggered via js.
> 
> 
> I understand the desire for this, but this opens a pretty big security 
> hole, doesn't it? Do we need to do anything about that?
>