Marius Dumitru Florea wrote: > Hi Caleb, > > On 06/13/2010 10:31 PM, Caleb James DeLisle wrote: >> I would like to see a (written) best practice of putting all javascript >> content into the head of the >> XHTML document. >> >> Reason 1: >> Moving all script into the head makes it easier to find and makes impossible >> bad (and often non WCAG >> compliant) practices such as attaching script to xml attributes. >> It makes it less of a jungle. >> >> Reason 2: >> If we have no script in the body of any documents then users can implement >> filters which remove any >> script after the</head> tag. This would make script injection certifiably >> impossible. >> >> >> WDYT? > > Let's say I have a JavaScript component that is configurable and has > lots of parameters. I'm including the code of this component using a > script tag in the head but I want to invoke it multiple times with > different parameters inside the body tag. The parameters of each > instance depend on content that was previously generated in the document > body. How would you do that without using script tags inside the body?
Good point. There are situations where it's unreasonably hard to comply with a best practice. My Invitation preview code contains style information in style attributes the code. That is because the email content contains style information and to remove it would make it not a true preview. In such cases I think we just need to acknowledge that best practices don't fit every single situation. If there were an XSS filter, the filter would have to understand an HTML comment in the head which told it that the page was to be treated differently. I don't think that we should avoid codifying this just because some use cases are unable to comply. Caleb > > Thanks, > Marius > >> Caleb >> >> _______________________________________________ >> devs mailing list >> [email protected] >> http://lists.xwiki.org/mailman/listinfo/devs > _______________________________________________ > devs mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/devs > _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
