hixie: Add an example of escaped ampersands in URLs in sandbox=''. (whatwg r4704) from poot on 2010-02-13 (public-html-diffs@w3.org from February 2010)

From: poot <cvsmail@w3.org>
Date: Sat, 13 Feb 2010 21:44:59 +0900 (JST)
To: public-html-diffs@w3.org
Message-Id: <20100213124459.933142BC36@toro.w3.mag.keio.ac.jp>

hixie: Add an example of escaped ampersands in URLs in sandbox=''.
(whatwg r4704)

http://dev.w3.org/cvsweb/html5/spec/Overview.html?r1=1.3754&r2=1.3755&f=h
http://html5.org/tools/web-apps-tracker?from=4703&to=4704

===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.3754
retrieving revision 1.3755
diff -u -d -r1.3754 -r1.3755
--- Overview.html 13 Feb 2010 12:33:20 -0000 1.3754
+++ Overview.html 13 Feb 2010 12:44:48 -0000 1.3755
@@ -16973,7 +16973,7 @@
  &lt;/article&gt;
  &lt;article&gt;
   &lt;footer&gt; At &lt;time pubdate&gt;2009-08-21T23:44Z&lt;/time&gt;, &lt;a href="/users/cap"&gt;cap&lt;/a&gt; writes: &lt;/footer&gt;
-  &lt;iframe seamless sandbox="allow-same-origin" srcdoc="&lt;p&gt;Yeah, you can see it &lt;a href=&amp;quot;/gallery/cover/1&amp;quot;&gt;in my gallery&lt;/a&gt;."&gt;&lt;/iframe&gt;
+  &lt;iframe seamless sandbox="allow-same-origin" srcdoc="&lt;p&gt;Yeah, you can see it &lt;a href=&amp;quot;/gallery?mode=cover&amp;amp;amp;page=1&amp;quot;&gt;in my gallery&lt;/a&gt;."&gt;&lt;/iframe&gt;
  &lt;/article&gt;
  &lt;article&gt;
   &lt;footer&gt; At &lt;time pubdate&gt;2009-08-21T23:58Z&lt;/time&gt;, &lt;a href="/users/ch"&gt;ch&lt;/a&gt; writes: &lt;/footer&gt;
@@ -16981,6 +16981,15 @@
 &lt;p&gt;you should get earl&amp;amp;amp;me on the next cover."&gt;&lt;/iframe&gt;
  &lt;/article&gt;</pre>
 
+   <p>Notice the way that quotes have to be escaped (otherwise the
+   <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code> attribute would
+   end prematurely), and the way raw ampersands (e.g. in URLs or in
+   prose) mentioned in the sandboxed content have to be
+   <em>doubly</em> escaped &mdash; once so that the ampersand is
+   preserved when originally parsing the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code> attribute, and once more
+   to prevent the ampersand from being misinterpreted when parsing the
+   sandboxed content.</p>
+
   </div><p class="note">In <a href="#syntax">the HTML syntax</a>, authors need only
   remember to use U+0022 QUOTATION MARK characters (") to wrap the
   attribute contents and then to escape all U+0022 QUOTATION MARK (")

Received on Saturday, 13 February 2010 12:45:27 UTC