W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > September 2011

[Bug 14041] New: inconsistent definitions of safe content for scripts.

From: <bugzilla@jessica.w3.org>
Date: Tue, 06 Sep 2011 08:32:36 +0000
To: public-html-bugzilla@w3.org
Message-ID: <bug-14041-2486@http.www.w3.org/Bugs/Public/>
http://www.w3.org/Bugs/Public/show_bug.cgi?id=14041

           Summary: inconsistent definitions of safe content for scripts.
           Product: HTML WG
           Version: unspecified
          Platform: PC
        OS/Version: Windows NT
            Status: NEW
          Severity: normal
          Priority: P2
         Component: HTML/XHTML Compatibility Authoring Guide (ed: Eliot
                    Graff)
        AssignedTo: eliotgra@microsoft.com
        ReportedBy: davidc@nag.co.uk
         QAContact: public-html-bugzilla@w3.org
                CC: mike@w3.org, public-html-wg-issue-tracking@w3.org,
                    public-html@w3.org, eliotgra@microsoft.com


Informally, "safe content" is content than you can put in a script (or style)
element in a polyglot document, and conversely content that is not safe should
be placed in an external file and referenced.

However

http://dev.w3.org/html5/html-xhtml-author-guide/html-xhtml-authoring-guide.html#external-script-and-style

says

> Polyglot markup uses external scripts if that document's script or style sheet uses < or & or ]]> or --. 

The restriction on -- is not needed, <script> a-- </script> would parse the
same way in xml or html. It's inclusion appears to be related to the side
comment on not using <!-- comments in scripts, but it's inclusion in the list
of strings that force the use of external files appears to be bogus.




Conversely, the following section

http://dev.w3.org/html5/html-xhtml-author-guide/html-xhtml-authoring-guide.html#in-line-script-and-style

says

Safe content is content that does not contain a < or & character.

here, despite what it says in the previous section there is (correctly) no
banning of -- and (incorrectly) no banning of ]]>

proposal.

Take the definition of "safe content" out of 9.1 and place it into section 9
immediately before 9.1 and 9.2 so both can reference it.

then 9.1 can say scripts _must_ use external reference if the script uses
unsafe content and 9.2 can say scripts may be inline if they only contain safe
content.

As a definition of "safe content" I think

Content is not "safe" if it contains (after any xml or html entity or character
references are expanded) the characters < or & or the substring ]]>

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Tuesday, 6 September 2011 08:32:40 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 16:31:18 UTC