- From: Adam Barth <w3c@adambarth.com>
- Date: Sat, 16 Oct 2010 15:12:16 -0700
- To: Andrew Fedoniouk <news@terrainformatica.com>
- Cc: "Tab Atkins Jr." <jackalmage@gmail.com>, Julian Reschke <julian.reschke@gmx.de>, HTML WG <public-html@w3.org>
As far as I can tell, everything you mention in your email below has been discussed before. There are lots of tradeoffs in the space, and no solution is perfect. However, cogitating on the issue isn't really helpful either, hence the working group decision. Adam On Fri, Oct 15, 2010 at 11:32 PM, Andrew Fedoniouk <andrew.fedoniouk@live.com> wrote: > > > -------------------------------------------------- > From: "Tab Atkins Jr." <jackalmage@gmail.com> > Sent: Friday, October 15, 2010 8:42 AM > To: "Andrew Fedoniouk" <news@terrainformatica.com> > Cc: "Julian Reschke" <julian.reschke@gmx.de>; "HTML WG" <public-html@w3.org> > Subject: Re: Working Group Decision on ISSUE-100 srcdoc > >> On Thu, Oct 14, 2010 at 9:18 PM, Andrew Fedoniouk >> <andrew.fedoniouk@live.com> wrote: >>> >>> It is technically feasible to parse content of <script type="text/html"> >>> without >>> need of any escapement at all. The only principal exception is the >>> <plaintext> >>> thing. >> >> As I said before, the reasoning against using <script> is identical to >> the reasoning against the plain <sandbox> element that was brought up >> before. I encourage you to read the previous emails on the subject >> and my Change Proposal before attempting to push this solution >> further; at the moment you are not presenting any new information, >> merely rehashing old ideas that have already been discarded as >> insufficient. > > <script type="text/html"> is used already in the wild if that counts. > And usually without any escapement. > > See Mr. Resig article: http://ejohn.org/blog/javascript-micro-templating/ > for <script type="text/html"> and > http://msdn.microsoft.com/en-us/library/ms766512(VS.85).aspx > for <script type="text/xml">. > > Back to markup-inside-markup vs. markup-inside-attribute idea. > > Citing your message > http://lists.w3.org/Archives/Public/public-html/2010Jul/0053.html > > "An <iframe> tag with a data: url in the @src attribute containing > the user-provided content. This proposal is unsatisfactory as the > escaping requirements of data: urls are non-trivial." > and > "The @srcdoc suggestion was offered as an improvement over all of these > proposals." > > These both statements are quite controversial. Level of escapement craziness > is the > same in both cases. E.g. you will need to escape a) all ""","'", > "'" > and """ sequences and then b) to escape all literal quotes. The only > way to > accomplish a) is to escape all '&' by replacing them by "&". The same > kind > of spaghetti as with URL escapements. > > In general escapement works pretty well and robust but only not in > situations > when you have to escape sequence that already uses the same escapement > schema. > Otherwise you are getting recursive escapement that is usually a sign of bad > system design. > > script type="text/html"> requires escapement of only > "</script>" sequences like: > > <script type="text/html"> > <html><script>...</script></html> > </script> > > It is possible to avoid need of escapements at all with use of > ends=N attribute that contains number of "</script>" tags > inside: > > <script type="text/html" ends=1> > <html><script>...</script></html> > </script> > > I believe that there are other options, for example > multipart-ish approach proposed by Maciej Stachowiak: > > <script ... token=F4C79A1094B3D34201E> > .... > </script token=F4C79A1094B3D34201E> > >> >> I will no longer respond until you have indicated that you have put >> forth a minimal f effort to understand the discussion that has already >> taken place and which you have been pointed towards. Discussing >> anything before you have done so is a waste of this group's time. >> > > Aye aye, sir. > > Here is a search string that I used: > http://www.w3.org/Search/Mail/Public/search?type-index=public-html&index-type=t&keywords=%3Csandbox%3E&search=Search > I suspect that these 10 messages do not cover whole discussion or is this > all of it? > > Sidenote: I believe that there is a form of better organization of such > problem - wikis probably. As soon as someone want to write a > message having "Summary:" and "Rationale:" then it is a time to > consider creation of wiki page for the problem. It will allow to see > big picture of it. (I suspect that Google Wave could be even better > for that but we sang sic-transit-gloria-mundi for it already, sigh) > > -- > Andrew Fedoniouk. > > http://terrainformatica.com > > > > >
Received on Saturday, 16 October 2010 22:13:27 UTC