Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Relax <select> parser #1086

Closed
josepharhar opened this issue Oct 9, 2024 · 3 comments
Closed

Relax <select> parser #1086

josepharhar opened this issue Oct 9, 2024 · 3 comments
Assignees
@zcorpan @hsivonen
Labels
concerns: compatibility position: positive topic: HTML venue: WHATWG Specifications in a WHATWG Workstream

Comments

@josepharhar
Copy link

josepharhar commented Oct 9, 2024
edited
Loading

Request for Mozilla Position on an Emerging Web Specification

Other information

whatwg/html#10310 (comment)
This was referenced Oct 9, 2024
Open
Open
@zcorpan zcorpan added topic: HTML venue: WHATWG Specifications in a WHATWG Workstream concerns: compatibility labels Oct 10, 2024
@zcorpan zcorpan self-assigned this Oct 10, 2024
@zcorpan zcorpan moved this from Unscreened to Needs proposed position in standards-positions review Oct 10, 2024
@zcorpan
Copy link
Member

zcorpan commented Oct 10, 2024

Per whatwg/html#10310 (comment) the web compat situation needs more clarity. But a parser change is needed here in order to support other elements in a custom select, and the direction proposed here seems like the best for web developers long-term.

I reviewed the security risk of this change in whatwg/html#10310 (comment)

Conclusion: sanitizers need to have general protection against mXSS, and so this change doesn't introduce new mXSS vectors, even though the parsed tree can be very different between new and legacy parsers.

I suggest position: positive.

@hsivonen should sign off here before setting a position label.

@zcorpan zcorpan moved this from Needs proposed position to Position is proposed in standards-positions review Oct 10, 2024
@hsivonen
Copy link
Member

hsivonen commented Dec 4, 2024

I think that it makes sense to take a positive position on finding out the Web compat constraints for the proposed select parsing per whatwg/html#10310 (comment) .

A caveat, though: Previously, I had looked only at changes to select parsing and had missed whatwg/html#10633 , which appears to be treated as part of the whole package. I'm worried about breaking the so far implied invariant that there is one DOM element node per non-erroneous (possibly implied) start tag. Even template, which changed the basic expectations of how markup corresponds to DOM constructs allows parsing conforming markup to a DOM tree and re-reserializing to round trip. selectedcontent causing one option start tag to result in two option element nodes breaks at least serialization round-trippability of conforming markup. I don't at this time have more concrete reasoning about what practical badness this can cause exactly, but this kind of departure from the (implied) invariants worries me, so I don't want to say "positive" about this particular aspect.

@zcorpan zcorpan mentioned this issue Dec 9, 2024
Open
@zcorpan
Copy link
Member

zcorpan commented Dec 9, 2024

Marking as positive but without the selectedcontent element in scope, where the cloning aspect from parsing that @hsivonen raised above is not in scope for this issue.

@zcorpan zcorpan closed this as completed Dec 9, 2024
@josepharhar josepharhar mentioned this issue Dec 19, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zcorpan zcorpan

@hsivonen hsivonen

Labels
concerns: compatibility position: positive topic: HTML venue: WHATWG Specifications in a WHATWG Workstream
Projects
standards-positions review
Status: Position is proposed
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zcorpan @hsivonen @josepharhar