[Bug 23587] Provide rationale for content restrictions for script tag

https://www.w3.org/Bugs/Public/show_bug.cgi?id=23587

--- Comment #6 from Leif Halvard Silli <xn--mlform-iua@xn--mlform-iua.no> ---
(In reply to Jakub Łopuszański from comment #5)

> I don't think it would be of much value to suggest to authors of dynamically
> genrated mashups to even consider any actions  which would require "manual"
> treatment of the HTML. And this is how I perceived the suggestion to escape
> occurrences of "<script>" inside comments in the scripts.

For changes to the parser, there is now bug 23596.

This bug cannot change the parser (that's for bug 23596). But it could optimize
the restrictions for contents of script elements. Whether PHP needs to escape
*all* the “<” to cope with those restrictions, that is a problem related to PHP
- but it is not a reason to change the restrictions.

As I see it, and given the current state of the HTML parser, the restrictions
have problems. For instance, if one does this:
   <script><!--</script>
Then the HTML5 validator screams “error”, despite that it creates no parsing
problems. But if one does what you ”did” (or “ended up with”):
   <script><!--<script></script><!--comment--><script> </script>
Then the validator is silent - it blesses it as all good.

In both cases, the HTML parser (and the validator.nu) sees a single script
element. To me it would make more sense if the validator was silent in the
first case, but screamed out in the second case.

> Could you provide some real world scenario in which the rules above would be
> contrary to authors intention?

My suspicision is that there is no use case, except ”theoretical purity”. Ses
bug 23596.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Tuesday, 22 October 2013 18:19:21 UTC