V
VK
In continuation of discussion at
http://groups.google.ru/group/comp.lang.javascript/browse_frm/thread/ee8a1afd6b07d4bc
in the particular http://groups.google.ru/group/comp.lang.javascript/msg/a6ad29140d7f8b3d
http://groups.google.ru/group/comp.lang.javascript/msg/5de9dc0567b9e331
First of all, *any* commercially usable library intended to support
legacy IE6 environment creates form elements over a separate IE6-only
branch (respectively with IE6 detection on startup) with IE-only
createElement syntax. This way the issue has mainly theoretical impact
unless someone is creating form-handling script from the scratch and
needs to support IE6 as well.
IE6 in its long history has a greate number of vulnerability attacks
with a greate amount of them targeted to input-file element in order
to gain local file access. Miscrosoft had to issue emergency security
fixes, oftenly by deliberately breaking some existing functionality
and by restoring it in upcoming fixes and cummulative updates. All
this was connected with setting input element type using the
conventional DOM methods. As since the last IE6 update and up to the
current IE8 the only remnant remains: the lock on type assignment to
button element. The exact explanation of the security risk is
irrelevant as it is not a hacker forum. Just a hint that it is still
connect with input-file.
At the same time is one managed to create a form element in the
conventional way, then further IE behavior is the same as for others.
There are not "disappeared" text elements or so as claimed. If
Microsoft once confirmed it, it just shows once again that MS tech
guys are not gods but just people able to make mistakes.
At http://jsnet.sourceforge.net/entities.html one can test it if still
in doubts (of course IE6-8 is needed). This test first creates
different form elements and logs each step. Then it stops and over
setTimeout starts new test where all current form elements being
listed. As the last step one can press Firefox image button to submit
it to http://www.example.com over GET. This way the CGI data can be
viewed in the address bar.
http://groups.google.ru/group/comp.lang.javascript/browse_frm/thread/ee8a1afd6b07d4bc
in the particular http://groups.google.ru/group/comp.lang.javascript/msg/a6ad29140d7f8b3d
http://groups.google.ru/group/comp.lang.javascript/msg/5de9dc0567b9e331
First of all, *any* commercially usable library intended to support
legacy IE6 environment creates form elements over a separate IE6-only
branch (respectively with IE6 detection on startup) with IE-only
createElement syntax. This way the issue has mainly theoretical impact
unless someone is creating form-handling script from the scratch and
needs to support IE6 as well.
IE6 in its long history has a greate number of vulnerability attacks
with a greate amount of them targeted to input-file element in order
to gain local file access. Miscrosoft had to issue emergency security
fixes, oftenly by deliberately breaking some existing functionality
and by restoring it in upcoming fixes and cummulative updates. All
this was connected with setting input element type using the
conventional DOM methods. As since the last IE6 update and up to the
current IE8 the only remnant remains: the lock on type assignment to
button element. The exact explanation of the security risk is
irrelevant as it is not a hacker forum. Just a hint that it is still
connect with input-file.
At the same time is one managed to create a form element in the
conventional way, then further IE behavior is the same as for others.
There are not "disappeared" text elements or so as claimed. If
Microsoft once confirmed it, it just shows once again that MS tech
guys are not gods but just people able to make mistakes.
At http://jsnet.sourceforge.net/entities.html one can test it if still
in doubts (of course IE6-8 is needed). This test first creates
different form elements and logs each step. Then it stops and over
setTimeout starts new test where all current form elements being
listed. As the last step one can press Firefox image button to submit
it to http://www.example.com over GET. This way the CGI data can be
viewed in the address bar.