[jsr-314-open] JSF 2.1 ajax spec enhancements - runscripts/applystyles
Jim Driscoll
Jim.Driscoll at Sun.COM
Tue Jan 19 13:13:06 EST 2010
Ganesh -
As far as I know, the runscripts behavior is the same between MyFaces
and Mojarra - what's the difference that you are speaking of? Werner
and I collaborated a bit during beta to make sure they were the same...
Thus, I'm confused by your contention in the bug:
https://javaserverfaces-spec-public.dev.java.net/issues/show_bug.cgi?id=724
That:
MyFaces 2.0 does execute script, Mojarra doesn't, spec needs to clarify for
unification
Agree that this needs to be in the spec. It's omission was an oversight.
As for applying styles:
The <style> tag is only valid in the <head> - and we do not apply stuff
in the head right now - mostly because there are just so very many bugs
when doing so.
So, this may be surfacing a more major lack in the spec than just styles.
Jim
On 12/22/09 12:26 PM, Ganesh wrote:
> no, these aren't attributes. If XHTML that comes in via xhr
> contains scripts these *always* need to be executed and
> styles need to be *always* applied. Some browsers in combination with
> some replacement methods already do this for us, some don't, so we need
> to take action.
>
> I cannot see the security hole with this as some browsers
> actually do it. Can you make up a setup that illustrates
> the hole?
>
> Best regards,
> Ganesh
>> There are also 2 functional clarifications I want to propose.
>> Mojarra and MyFaces partly differ in this, so I think we need to
>> clarify.
>>
>>
>> Sorry, I'm confused. Are runscripts and applystyles f:ajax tag
>> attributes? If so, do the attributes affect only the Ajax request that
>> f:ajax fires, or is it an app-wide setting for all Ajax requests?
>>
>> runscripts: If a piece of XHTML comes in via xhr and contains
>> <script> tags the ajax engine should automatically trigger execution of
>> these scripts. This is important if you want to replace a js function
>> or if the scripts somehow initialize UI elements. It depends on a
>> combination of the js replacement code
>> (innerHTML/adjacentHTML/contextualFragment/...) and the browser
>> platform whether the browsers automatically run these scripts,
>> IE mostly doesn't run them FF mostly does so. The ajax engine should
>> know whether the browser does automatically run the scripts and if it
>> doesn't they should be triggered via js.
>>
>>
>> I understand the desire for this, but this opens a pretty big security
>> hole, doesn't it? Do we need to do anything about that?
>>
>
More information about the jsr-314-open-mirror
mailing list