- From: Andrew Fedoniouk <andrew.fedoniouk@live.com>
- Date: Fri, 15 Oct 2010 23:32:18 -0700
- To: "Tab Atkins Jr." <jackalmage@gmail.com>
- Cc: "Julian Reschke" <julian.reschke@gmx.de>, "HTML WG" <public-html@w3.org>
-------------------------------------------------- From: "Tab Atkins Jr." <jackalmage@gmail.com> Sent: Friday, October 15, 2010 8:42 AM To: "Andrew Fedoniouk" <news@terrainformatica.com> Cc: "Julian Reschke" <julian.reschke@gmx.de>; "HTML WG" <public-html@w3.org> Subject: Re: Working Group Decision on ISSUE-100 srcdoc > On Thu, Oct 14, 2010 at 9:18 PM, Andrew Fedoniouk > <andrew.fedoniouk@live.com> wrote: >> It is technically feasible to parse content of <script type="text/html"> >> without >> need of any escapement at all. The only principal exception is the >> <plaintext> >> thing. > > As I said before, the reasoning against using <script> is identical to > the reasoning against the plain <sandbox> element that was brought up > before. I encourage you to read the previous emails on the subject > and my Change Proposal before attempting to push this solution > further; at the moment you are not presenting any new information, > merely rehashing old ideas that have already been discarded as > insufficient. <script type="text/html"> is used already in the wild if that counts. And usually without any escapement. See Mr. Resig article: http://ejohn.org/blog/javascript-micro-templating/ for <script type="text/html"> and http://msdn.microsoft.com/en-us/library/ms766512(VS.85).aspx for <script type="text/xml">. Back to markup-inside-markup vs. markup-inside-attribute idea. Citing your message http://lists.w3.org/Archives/Public/public-html/2010Jul/0053.html "An <iframe> tag with a data: url in the @src attribute containing the user-provided content. This proposal is unsatisfactory as the escaping requirements of data: urls are non-trivial." and "The @srcdoc suggestion was offered as an improvement over all of these proposals." These both statements are quite controversial. Level of escapement craziness is the same in both cases. E.g. you will need to escape a) all ""","'", "'" and """ sequences and then b) to escape all literal quotes. The only way to accomplish a) is to escape all '&' by replacing them by "&". The same kind of spaghetti as with URL escapements. In general escapement works pretty well and robust but only not in situations when you have to escape sequence that already uses the same escapement schema. Otherwise you are getting recursive escapement that is usually a sign of bad system design. script type="text/html"> requires escapement of only "</script>" sequences like: <script type="text/html"> <html><script>...</script></html> </script> It is possible to avoid need of escapements at all with use of ends=N attribute that contains number of "</script>" tags inside: <script type="text/html" ends=1> <html><script>...</script></html> </script> I believe that there are other options, for example multipart-ish approach proposed by Maciej Stachowiak: <script ... token=F4C79A1094B3D34201E> .... </script token=F4C79A1094B3D34201E> > > I will no longer respond until you have indicated that you have put > forth a minimal f effort to understand the discussion that has already > taken place and which you have been pointed towards. Discussing > anything before you have done so is a waste of this group's time. > Aye aye, sir. Here is a search string that I used: http://www.w3.org/Search/Mail/Public/search?type-index=public-html&index-type=t&keywords=%3Csandbox%3E&search=Search I suspect that these 10 messages do not cover whole discussion or is this all of it? Sidenote: I believe that there is a form of better organization of such problem - wikis probably. As soon as someone want to write a message having "Summary:" and "Rationale:" then it is a time to consider creation of wiki page for the problem. It will allow to see big picture of it. (I suspect that Google Wave could be even better for that but we sang sic-transit-gloria-mundi for it already, sigh) -- Andrew Fedoniouk. http://terrainformatica.com
Received on Saturday, 16 October 2010 06:32:56 UTC