[css21] Escaping commas in unquoted URIs from Sylvain Galineau on 2010-03-17 (www-style@w3.org from March 2010)

From: Sylvain Galineau <sylvaing@microsoft.com>
Date: Wed, 17 Mar 2010 23:09:53 +0000
To: "www-style@w3.org" <www-style@w3.org>
CC: Brian Manthos <brianman@microsoft.com>, Arron Eicholz <Arron.Eicholz@microsoft.com>
Message-ID: <045A765940533D4CA4933A4A7E32597E1A24B043@TK5EX14MBXC120.redmond.corp.microsoft.>

CSS2.1 4.3.4 [1] states:

"The format of a URI value is 'url(' followed by optional white space followed by an optional 
single quote (') or double quote (") character followed by the URI itself, followed by an optional 
single quote (') or double quote (") character followed by optional white space followed by ')'. 
The two quote characters must be the same.

[snip]

Some characters appearing in an unquoted URI, such as parentheses, commas, white space characters, 
single quotes (') and double quotes ("), must be escaped with a backslash so that the resulting URI 
value is a URI token: '\(', '\)', '\,'."

The grammar [2] agrees: 	
url		([!#$%&*-~]|{nonascii}|{escape})*

(The "*-~" expression is a range that includes ",")

However, all browsers I have checked - latest Firefox, Safari, Opera and IE8 - accept unescaped comma delimiters within unquoted data URIs. For instance, in ACID2 [3]:

.forehead { 
	margin: 4em; 
	width: 8em; 
	border-left: solid black 1em; 
	border-right: solid black 1em; 
	background: red url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVR42mP4%2F58BAAT%2FAf9jgNErAAAAAElFTkSuQmCC); /* that's a 1x1 yellow pixel PNG */ }

Note the "base64,"  before the data proper. CSS2.1 says this URI should either be quoted or the comma escaped. But user agents accept it as is. (If for no other reason that white space, parentheses, quotes and commas are invalid base64 and thus unambiguously break a data URI ?).
 
I have also noticed TypeKit serving unquoted font data URIs to Firefox. It is by now unlikely that these two are the only instances of this issue so user agents cannot backtrack and fix this. (Brian just found out the hard way by dutifully following the spec and making Mr ACID2 look very pale).

I assume that we'd ideally want to escape whitespaces, "(", ")" and "," in non-delimited URIs to preserve the possibility of extending the url() function with new arguments, including functional arguments? (vs. simply detecting the terminating ")"). If so, it seems this door has already been closed.

We suggest the specification be updated to remove the comma character from both the prose and the grammar i.e. in 4.3.4 :

Some characters appearing in an unquoted URI, such as parentheses, white space characters, 
single quotes (') and double quotes ("), must be escaped with a backslash so that the resulting URI 
value is a URI token: '\(', '\)'."

And in Appendix G:

url	([!#$%&*\~,]|{nonascii}|{escape})




[1] http://www.w3.org/TR/CSS21/syndata.html#uri 
[2] http://www.w3.org/TR/CSS21/grammar.html
[3] http://www.webstandards.org/files/acid2/test.html#top

Received on Wednesday, 17 March 2010 23:10:29 UTC