Re: <iframe doc="">

Ian Hickson wrote:
> Markup in attributes has it's disadvantages, but it's not necessarily a
> problem.

One big disadvantage with putting markup in attributes, especially for 
the doc proposal, is that ampersands will often have to be double 
escaped as &amp;amp;, due to the content of doc effectively being parsed 
twice - once as the content of the attribute, and then again to parse 
the string as a document.


Consider marking up a link containing this URL:


By only escaping the ampersands once like this, the following happens:

   <iframe doc="<a href="?name=foo&amp;title=bar&amp;sect=1">link</a>">

The &amp; entites are decoded as they parsed the first time to obtain 
the attribute value.  This results in the following string:

   "<a href="?name=foo&title=bar&sect=1">link</a>"

This is then parsed again by a new instance of the HTML parser, which 
results in the first ampersand being flagged as a parse error, and the 
second being interperted as §.  This is then equivalent to the following:

   <a href="?name=foo&title=bar§=1">link</a>

The parse error might be deemed acceptable in text/html because it's 
non-fatal and ends up with the correct result, even though it would be 
non-conforming, but the latter misinterpretation would break the link.

But for XHTML, it gets worse, because the first ampersand would be 
fatal.  There are also other similar problems that would be caused by 
using &lt; isntead of double escaping it as &amp;lt;.

These problems would be avoided if the markup had instead been the 
following, even though it's more complicated for authors to get right:

   <iframe doc="<a 

Lachlan Hunt - Opera Software

Received on Sunday, 17 January 2010 10:46:05 UTC