Re: [css21] Escaping commas in unquoted URIs from L. David Baron on 2010-03-17 (www-style@w3.org from March 2010)

From: L. David Baron <dbaron@dbaron.org>
Date: Wed, 17 Mar 2010 16:36:40 -0700
To: "www-style@w3.org" <www-style@w3.org>, Sylvain Galineau <sylvaing@microsoft.com>
Message-ID: <20100317233640.GA13589@pickering.dbaron.org>

On Wednesday 2010-03-17 23:09 +0000, Sylvain Galineau wrote:
> CSS2.1 4.3.4 [1] states:
> 
> "The format of a URI value is 'url(' followed by optional white
> space followed by an optional single quote (') or double quote (")
> character followed by the URI itself, followed by an optional
> single quote (') or double quote (") character followed by
> optional white space followed by ')'.  The two quote characters
> must be the same.
> 
> [snip]
> 
> Some characters appearing in an unquoted URI, such as parentheses,
> commas, white space characters, single quotes (') and double
> quotes ("), must be escaped with a backslash so that the resulting
> URI value is a URI token: '\(', '\)', '\,'."
> 
> The grammar [2] agrees: 	
> url		([!#$%&*-~]|{nonascii}|{escape})*
> 
> (The "*-~" expression is a range that includes ",")

I'd describe that as the grammar *disagreeing*, since the grammar
says that commas are allowed in the production for unquoted URIs
(they're part of the range *-~).

Likewise, the tokenization in section 4.1, which is significantly
more important than the appendix G grammar, also (like the grammar
in appendix G) says that commas are allowed.

> However, all browsers I have checked - latest Firefox, Safari,
> Opera and IE8 - accept unescaped comma delimiters within unquoted
> data URIs.

This agrees with the grammar and the tokenization rules.

> We suggest the specification be updated to remove the comma
> character from both the prose and the grammar i.e. in 4.3.4 :
> 
> Some characters appearing in an unquoted URI, such as parentheses,
> white space characters, single quotes (') and double quotes ("),
> must be escaped with a backslash so that the resulting URI value
> is a URI token: '\(', '\)'."

I agree with this proposal to change 4.3.4, since that would make it
match both grammars (4.1 and G) and implementations.

> And in Appendix G:
> 
> url	([!#$%&*\~,]|{nonascii}|{escape})

And I disagree with the proposal to change the grammar to make it
not match implementations.  (I'm also not quite sure what you meant
to type in that proposal.)

-David

-- 
L. David Baron                                 http://dbaron.org/
Mozilla Corporation                       http://www.mozilla.com/

Received on Wednesday, 17 March 2010 23:37:11 UTC