[Bug 14041] New: inconsistent definitions of safe content for scripts.

http://www.w3.org/Bugs/Public/show_bug.cgi?id=14041

           Summary: inconsistent definitions of safe content for scripts.
           Product: HTML WG
           Version: unspecified
          Platform: PC
        OS/Version: Windows NT
            Status: NEW
          Severity: normal
          Priority: P2
         Component: HTML/XHTML Compatibility Authoring Guide (ed: Eliot
                    Graff)
        AssignedTo: eliotgra@microsoft.com
        ReportedBy: davidc@nag.co.uk
         QAContact: public-html-bugzilla@w3.org
                CC: mike@w3.org, public-html-wg-issue-tracking@w3.org,
                    public-html@w3.org, eliotgra@microsoft.com


Informally, "safe content" is content than you can put in a script (or style)
element in a polyglot document, and conversely content that is not safe should
be placed in an external file and referenced.

However

http://dev.w3.org/html5/html-xhtml-author-guide/html-xhtml-authoring-guide.html#external-script-and-style

says

> Polyglot markup uses external scripts if that document's script or style sheet uses < or & or ]]> or --. 

The restriction on -- is not needed, <script> a-- </script> would parse the
same way in xml or html. It's inclusion appears to be related to the side
comment on not using <!-- comments in scripts, but it's inclusion in the list
of strings that force the use of external files appears to be bogus.




Conversely, the following section

http://dev.w3.org/html5/html-xhtml-author-guide/html-xhtml-authoring-guide.html#in-line-script-and-style

says

Safe content is content that does not contain a < or & character.

here, despite what it says in the previous section there is (correctly) no
banning of -- and (incorrectly) no banning of ]]>

proposal.

Take the definition of "safe content" out of 9.1 and place it into section 9
immediately before 9.1 and 9.2 so both can reference it.

then 9.1 can say scripts _must_ use external reference if the script uses
unsafe content and 9.2 can say scripts may be inline if they only contain safe
content.

As a definition of "safe content" I think

Content is not "safe" if it contains (after any xml or html entity or character
references are expanded) the characters < or & or the substring ]]>

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

Received on Tuesday, 6 September 2011 08:32:43 UTC