W3C home > Mailing lists > Public > public-qt-comments@w3.org > November 2009

[Bug 8206] New: Serialization requires no escaping of < in URI attribute with XHTML

From: <bugzilla@wiggum.w3.org>
Date: Thu, 05 Nov 2009 21:20:37 +0000
To: public-qt-comments@w3.org
Message-ID: <bug-8206-523@http.www.w3.org/Bugs/Public/>
http://www.w3.org/Bugs/Public/show_bug.cgi?id=8206

           Summary: Serialization requires no escaping of < in URI attribute
                    with XHTML
           Product: XPath / XQuery / XSLT
           Version: Recommendation
          Platform: PC
               URL: http://www.w3.org/TR/2007/REC-xslt-xquery-serialization-
                    20070123/#serphases
        OS/Version: Windows XP
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Serialization
        AssignedTo: zongaro@ca.ibm.com
        ReportedBy: zongaro@ca.ibm.com
         QAContact: public-qt-comments@w3.org


A colleague pointed out this problem in the "Character Expansion" step of the
phases of serialization.[1]  Suppose the output method is XHTML and the
escape-uri-attributes serialization parameter has the value "yes".  For any URI
attribute, step 3a. requires URI escaping to be applied and that steps 3b.
through 3e. be skipped.

The URI escaping is described in three steps:  i) Unicode normalization; ii)
percent encoding as described for fn:escape-html-uri; and iii) escaping
"according to HTML rules any characters (such as < and &) where HTML requires
escaping.  For example, replace < with &lt;."

For other attributes, step 3e. would cause a less than to be replaced with &lt;
or an equivalent character reference.

It's not clear which HTML rules apply here - those of the various HTML
recommendations, those of the HTML output method or both.  If this was a
reference to the rules of the HTML output method, alone or together with the
requirements of the relevant HTML recommendation, it must be noted that section
7.2 of serialization actually prohibits a less than character from being
escaped.[2]  It states, "The HTML output method MUST NOT escape "<" characters
occurring in attribute values."

[1] http://www.w3.org/TR/2007/REC-xslt-xquery-serialization-20070123/#serphases
[2]
http://www.w3.org/TR/2007/REC-xslt-xquery-serialization-20070123/#HTML_ATTRIBS


-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Thursday, 5 November 2009 21:20:40 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 16:57:29 UTC