W3C home > Mailing lists > Public > whatwg@whatwg.org > September 2009

[whatwg] More prohibited characters for unquoted attributes are needed

From: Ian Hickson <ian@hixie.ch>
Date: Mon, 14 Sep 2009 11:25:26 +0000 (UTC)
Message-ID: <Pine.LNX.4.62.0909141124590.14605@hixie.dreamhostps.com>
On Sun, 6 Sep 2009, Aryeh Gregor wrote:
>
> See some research here:
> 
> http://code.google.com/p/html5lib/issues/detail?id=93
> 
> It seems like in addition to whitespace and "'=<> , the characters 
> U+0000 through U+0020 should be banned from unquoted attribute values, 
> as well as U+0060 (backtick `), for the sake of compatibility.

On Mon, 7 Sep 2009, Geoffrey Sneddon wrote:
> 
> Apparently Hixie had previously said he didn't want to change this as it 
> will become a non-issue over time. I think it does matter due to the 
> security issues it presents in existing UAs. Conforming markup (using 
> elements/attributes allowed in HTML 4.01) should not cause JS to execute 
> in one browser but not in another.

The right fix here is to have the browsers all implement the same parser 
algorithm.

Validators are welcome to warn about this case, though.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 14 September 2009 04:25:26 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:08:52 UTC