W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > October 2013

[Bug 23587] Provide rationale for content restrictions for script tag

From: <bugzilla@jessica.w3.org>
Date: Tue, 22 Oct 2013 11:53:07 +0000
To: public-html-bugzilla@w3.org
Message-ID: <bug-23587-2486-E7xxnJ8xl3@http.www.w3.org/Bugs/Public/>
https://www.w3.org/Bugs/Public/show_bug.cgi?id=23587

--- Comment #2 from Leif Halvard Silli <xn--mlform-iua@xn--mlform-iua.no> ---
(In reply to Jakub Łopuszański from comment #0)

Some comments to what you said:

> Now, what I want to complain about is that the story can end in various
> different ways depending on such "details" as:

> 3. do I have an <!-- innocent comment --> after the tag or not
> 4. do I have a second <script> tag after the innocent comment or not

The “innocent comment” is actually beneficial: If you had removed it, then the
comment inside the first <script> element would have reached to the end of the
document. But as long as the “innocent comment” stays there, then the comment
inside the first script ends when the “innocent comment” ends.

Note, however, that even if the comment *ends* in the “innocent
comment”, the script element continues until it sees the end tag
"</script>".


> I would really like to understand why the "double escape" mode
> triggered by "<!-- <script>" combo is needed.

Indeed. Until I read your bug, my understanding was that the parser would
*always* close the script element as soon as it sees the end tag </script>. But
like I said incomment #1, it is unclear to me whether the double escape mode
requires the parsre to ignore the *first* (but *not* the second(!) end tag
</script>.

> -- I would really like to understand why the "double escape" mode triggered
> by "<!-- <script>" combo is needed. It would helped even more if some
> practices were suggested, which could help avoided such problems (for
> example: "Authors should always escape "<" character as "\x3C" in their
> strings" or something).

My first reaction was that this problem could have been solved by adding a rule
for Web authors which said that if they add a comment start inside a <script>,
then you also need to add a comment end inside the same element.

However, turns out that this is already in the spec. (And thus, probably,
rather is the cause, rather than solution, to the problem.) To verify, just
*remove* the “innocent comment”, and run the code in validator.nu. Then you
will get the following error message:

]]
    Error: The text content of element script was not in the  
    required format: Content contains the character sequence
    <!-- without a later occurrence of the character sequence -->.

    From line 3, column 34; to line 3, column 42

    ser.name);</script>↩</hea

    Syntax of embedded script content:
        Any text content that does not contain the character  
    sequence "<!--" without a later occurrence of the character
    sequence "-->" and  that does not contain any occurrence of
    the string "</script" followed by a space character, ">", or
    "/". For further details, see Restrictions for contents of 
    script elements. 
[[

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
Received on Tuesday, 22 October 2013 11:53:09 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 16:31:45 UTC