Re: Working Group Decision on ISSUE-100 srcdoc



--------------------------------------------------
From: "Tab Atkins Jr." <jackalmage@gmail.com>
Sent: Friday, October 15, 2010 8:42 AM
To: "Andrew Fedoniouk" <news@terrainformatica.com>
Cc: "Julian Reschke" <julian.reschke@gmx.de>; "HTML WG" <public-html@w3.org>
Subject: Re: Working Group Decision on ISSUE-100 srcdoc

> On Thu, Oct 14, 2010 at 9:18 PM, Andrew Fedoniouk
> <andrew.fedoniouk@live.com> wrote:
>> It is technically feasible to parse content of <script type="text/html">
>> without
>> need of any escapement at all. The only principal exception is the
>> <plaintext>
>> thing.
>
> As I said before, the reasoning against using <script> is identical to
> the reasoning against the plain <sandbox> element that was brought up
> before.  I encourage you to read the previous emails on the subject
> and my Change Proposal before attempting to push this solution
> further; at the moment you are not presenting any new information,
> merely rehashing old ideas that have already been discarded as
> insufficient.

<script type="text/html"> is used already in the wild if that counts.
And usually without any escapement.

See Mr. Resig article: http://ejohn.org/blog/javascript-micro-templating/
for <script type="text/html"> and
http://msdn.microsoft.com/en-us/library/ms766512(VS.85).aspx
for <script type="text/xml">.

Back to markup-inside-markup vs. markup-inside-attribute idea.

Citing your message 
http://lists.w3.org/Archives/Public/public-html/2010Jul/0053.html

"An <iframe> tag with a data: url in the @src attribute containing
the user-provided content.  This proposal is unsatisfactory as the
escaping requirements of data: urls are non-trivial."
and
"The @srcdoc suggestion was offered as an improvement over all of these
proposals."

These both statements are quite controversial. Level of escapement craziness 
is the
same in both cases.  E.g. you will need to escape a) all "&#34;","&#39;", 
"&apos;"
and "&quot;" sequences and then b) to escape all literal quotes.  The only 
way to
accomplish a) is to escape all '&' by replacing them by "&amp;". The same 
kind
of spaghetti as with URL escapements.

In general  escapement works pretty well and robust but only not in 
situations
when you have to escape sequence that already uses the same escapement 
schema.
Otherwise you are getting recursive escapement that is usually a sign of bad
system design.

script type="text/html"> requires escapement of only
"</script>" sequences like:

  <script type="text/html">
      <html><script>...<&#47;script></html>
  </script>

It is possible to avoid need of escapements at all with use of
ends=N attribute that contains number of "</script>" tags
inside:

  <script type="text/html" ends=1>
      <html><script>...</script></html>
  </script>

I believe that there are other options, for example
multipart-ish approach proposed by Maciej Stachowiak:

<script ... token=F4C79A1094B3D34201E>
   ....
</script token=F4C79A1094B3D34201E>

>
> I will no longer respond until you have indicated that you have put
> forth a minimal f effort to understand the discussion that has already
> taken place and which you have been pointed towards.  Discussing
> anything before you have done so is a waste of this group's time.
>

Aye aye, sir.

Here is a search string that I used:
http://www.w3.org/Search/Mail/Public/search?type-index=public-html&index-type=t&keywords=%3Csandbox%3E&search=Search
I suspect that these 10 messages do not cover whole discussion or is this 
all of it?

Sidenote: I believe that there is a form of better organization of such
problem - wikis probably.  As soon as someone want to write a
message having "Summary:" and "Rationale:" then it is a time to
consider creation of wiki page for the problem. It will allow to see
big picture of it. (I suspect that Google Wave could be even better
for that but we sang sic-transit-gloria-mundi for it already, sigh)

-- 
Andrew Fedoniouk.

http://terrainformatica.com

Received on Saturday, 16 October 2010 06:32:56 UTC