W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > September 2011

[Bug 14041] New: inconsistent definitions of safe content for scripts.

From: <bugzilla@jessica.w3.org>
Date: Tue, 06 Sep 2011 08:32:36 +0000
To: public-html-bugzilla@w3.org
Message-ID: <bug-14041-2486@http.www.w3.org/Bugs/Public/>

           Summary: inconsistent definitions of safe content for scripts.
           Product: HTML WG
           Version: unspecified
          Platform: PC
        OS/Version: Windows NT
            Status: NEW
          Severity: normal
          Priority: P2
         Component: HTML/XHTML Compatibility Authoring Guide (ed: Eliot
        AssignedTo: eliotgra@microsoft.com
        ReportedBy: davidc@nag.co.uk
         QAContact: public-html-bugzilla@w3.org
                CC: mike@w3.org, public-html-wg-issue-tracking@w3.org,
                    public-html@w3.org, eliotgra@microsoft.com

Informally, "safe content" is content than you can put in a script (or style)
element in a polyglot document, and conversely content that is not safe should
be placed in an external file and referenced.




> Polyglot markup uses external scripts if that document's script or style sheet uses < or & or ]]> or --. 

The restriction on -- is not needed, <script> a-- </script> would parse the
same way in xml or html. It's inclusion appears to be related to the side
comment on not using <!-- comments in scripts, but it's inclusion in the list
of strings that force the use of external files appears to be bogus.

Conversely, the following section



Safe content is content that does not contain a < or & character.

here, despite what it says in the previous section there is (correctly) no
banning of -- and (incorrectly) no banning of ]]>


Take the definition of "safe content" out of 9.1 and place it into section 9
immediately before 9.1 and 9.2 so both can reference it.

then 9.1 can say scripts _must_ use external reference if the script uses
unsafe content and 9.2 can say scripts may be inline if they only contain safe

As a definition of "safe content" I think

Content is not "safe" if it contains (after any xml or html entity or character
references are expanded) the characters < or & or the substring ]]>

Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Tuesday, 6 September 2011 08:32:40 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 16:31:18 UTC