RE: Section 16.2 Proposed amendment, part two from Michael Kay on 2001-04-11 (xsl-editors@w3.org from April to June 2001)

From: Michael Kay <mhkay@iclway.co.uk>
Date: Wed, 11 Apr 2001 23:07:03 +0100
To: "'Byington, Dale'" <ByingtonD@peacetech.com>, <xsl-editors@w3.org>
Message-ID: <002d01c0c2d7$792bba80$f8413c3e@PCUKMKA>

Section 16.2 Proposed amendment, part twoMy own view on this is that URL
escaping needs to be under user control. I would like to see an attribute
escape-url="yes"|"no" on the <xsl:attribute> instruction, with the default
being as at present, i.e. to do URL escaping if the output method recognizes
the attribute as one whose value is a URL.

(I also think we need disable-output-escaping on xsl:attribute, but that
should be kept separate).

Mike Kay
  -----Original Message-----
  From: w3c-xsl-wg-request@w3.org [mailto:w3c-xsl-wg-request@w3.org]On
Behalf Of Byington, Dale
  Sent: 10 April 2001 18:09
  To: 'xsl-editors@w3.org'
  Subject: Section 16.2 Proposed amendment, part two


  Due to some feedback I have received, I have slightly changed my position
on this issue. Instead of telling people to look specifically for the
"javascript:" prefix, the XSLT processor could have users place the
scripting extensions/prefixes that they use in a configuration file. The
processor would then only have to check for prefixes used by each individual
client, rather than search through a long list of possible prefixes. This
would greatly reduce the performance impact of such checking.

   -----Original Message-----
  From:   Byington, Dale
  Sent:   Tuesday, April 10, 2001 11:49 AM
  To:     'xsl-editors@w3.org'
  Subject:        Section 16.2 Proposed amendment

  Dear Editors:
          I feel that something has been overlooked in the XSL
Transformations recommendation, Section 16.2. While discussing the HTML
Output Method, the recommendation clearly states that no encoding/escaping
is to be performed on the content of <script> tags. I believe that this
prohibition should also extend to <a> tags where the href attribute contains
the prefix "javascript:". I came across a problem while using Apache Xalan
2.0.1 that complies to your specification. It escaped the href attribute,
casuing my JavaScript function calls to either not run, or to produce
erroneous output. Included below is a copy of a discussion about this topic
on the Apache Xalan developers list group. In it, I lay out the problem I am
experiencing in detail, as well as why I feel that any href beginning with
"javascript:" should not be encoded. I appreciate your consideration of this
matter, and hope that you will find merit in my reasoning. Thank You.

  <<urltest.xml>> <<urltest.xsl>>

  Dale Byington
  Peace Technology, Inc.
  13685 Baltimore Avenue
  Laurel, MD 20707-5096
  Phone:  (301) 206-9696
  Fax:  (301) 206-9722

Received on Wednesday, 11 April 2001 18:31:54 UTC