- Notifications
You must be signed in to change notification settings - Fork294
Description
http://code.google.com/p/html5lib/issues/detail?id=93
Reported by zcorpan, Feb 27, 2009
This is similar to issue 92 except there's an old Opera bug where certain
characters are treated as whitespace.http://www.opera.com/support/kb/view/900/
The characters are
U+0009, U+000A, U+000B, U+000C, U+000D, U+0020, U+002F, U+00A0, U+1680, U
+180E, U+180F, U+2000, U+2001, U+2002, U+2003, U+2004, U+2005, U+2006, U
+2007, U+2008, U+2009, U+200A, U+2028, U+2029, U+202F, U+205F and U+3000html5lib should probably quote attribute values that contain any of these.
Also, given that Gecko and WebKit start a new tag for
<foo bar=baz<quux>
you should probably also quote attribute values that contain "<".
Apr 27, 2009 excors
Also seehttp://software.hixie.ch/utilities/js/live-dom-viewer/saved/95
In addition to the values mentioned in the spec, the following seem to require
quoting:Safari 3.0: U+0000 to U+0020 inclusive
Konqueror 4.1: U+0000 to U+0020 inclusive
Safari 3.1: U+000B
Opera 9.6: U+000B
IE6, IE8: U+000B, U+0060
Firefox 2/3: (Not U+0008 despite what that test script says; those characters just
get stripped, it seems)
Apr 27, 2009 zcorpan
(U+000B is not a valid character in HTML5, though I don't know if the serializer
tries to keep the character data valid.)
Sep 4, 2009 Simetrical
The spec should be updated to ban these too, then, right? They're not interoperably
supported. I doubt anyone will cry about not being able to use sub-0x20 characters in
unquoted attribute values, anyway. :) U+60 is `, doesn't seem like a big issue
either. Should this be brought up on the mailing list?
Sep 5, 2009 geoffers
IMO yes, just someone needs to get around to it. :)
Sep 6, 2009 zcorpan
I did, and Hixie rejected it saying that it's an issue that will go away over time.
Feel free to bring it up again (citing that sites who implement the spec using a
serializer will expose themselves to security problems with legacy browsers).
Sep 7, 2009 Simetrical
I posted this a couple of days ago:
http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2009-September/022711.html
Oct 28, 2009 geoffers
Accepted, though we still need to decide how much to quote.
Oct 30, 2009 geoffers
I don't think we need to try and get the spec to quote anything else.
This should presumably be a legacy_quote option or some such.