W3C home > Mailing lists > Public > whatwg@whatwg.org > September 2009

[whatwg] More prohibited characters for unquoted attributes are needed

From: Geoffrey Sneddon <foolistbar@googlemail.com>
Date: Mon, 7 Sep 2009 18:34:10 +0100
Message-ID: <066122B3-B866-49C9-BE1C-735FB085596F@googlemail.com>

On 6 Sep 2009, at 12:35, Aryeh Gregor wrote:

> See some research here:
>
> http://code.google.com/p/html5lib/issues/detail?id=93
>
> It seems like in addition to whitespace and "'=<> , the characters
> U+0000 through U+0020 should be banned from unquoted attribute values,
> as well as U+0060 (backtick `), for the sake of compatibility.

Apparently Hixie had previously said he didn't want to change this as  
it will become a non-issue over time. I think it does matter due to  
the security issues it presents in existing UAs. Conforming markup  
(using elements/attributes allowed in HTML 4.01) should not cause JS  
to execute in one browser but not in another.


--
Geoffrey Sneddon
<http://gsnedders.com/>
Received on Monday, 7 September 2009 10:34:10 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:08:52 UTC