Fw: [librejs/librejs] Doesn’t detect inline scripts in XHTML(5) documents (#2)

[bill-auger]

this bug report was posted on github

https://github.com/librejs/librejs/issues/2


Begin forwarded message:

Date: Mon, 20 Jan 2020 08:01:54 -0800
From: Columbus240
To: librejs/librejs <address@hidden>
Cc: Subscribed <address@hidden>
Subject: [librejs/librejs] Doesn’t detect inline scripts in
XHTML(5) documents (#2)


If a webpage is served as `application/xhtml+xml` (and is
well-formed), then LibreJS won’t detect or block blocks of
inline JavaScript.

Minimal example:
```xhtml
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml";>
<head>
        <title>Some Title</title>
</head>
<body>
        <script>console.log("Hello");</script>
</body>
</html>
```

If this is saved to a `*.html` file and opened or served as
`text/html`, LibreJS will note the inline script as trivial. If
it is saved to a `*.xhtml` file and opened or served as
`application/xhtml+xml` LibreJS will ignore the inline script.
The JavaScript above can be replaced with arbitrary JavaScript
code without LibreJS changing its behaviour.

If a webpage is served as application/xhtml+xml (and is well-formed), then LibreJS won’t detect or block blocks of inline _javascript_.

Minimal example:

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
	<title>Some Title</title>
</head>
<body>
	<script>console.log("Hello");</script>
</body>
</html>

If this is saved to a *.html file and opened or served as text/html, LibreJS will note the inline script as trivial. If it is saved to a *.xhtml file and opened or served as application/xhtml+xml LibreJS will ignore the inline script.
The _javascript_ above can be replaced with arbitrary _javascript_ code without LibreJS changing its behaviour.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.