[html5] r8313 - [c] (2) Another attempt at redefining <script> content rules to make zcorpan hap [...]
whatwg at whatwg.org
whatwg at whatwg.org
Mon Nov 25 10:38:40 PST 2013
Author: ianh
Date: 2013-11-25 10:38:37 -0800 (Mon, 25 Nov 2013)
New Revision: 8313
Modified:
complete.html
index
source
Log:
[c] (2) Another attempt at redefining <script> content rules to make zcorpan happy
Fixing https://www.w3.org/Bugs/Public/show_bug.cgi?id=23590
Affected topics: HTML
Modified: complete.html
===================================================================
--- complete.html 2013-11-22 20:38:35 UTC (rev 8312)
+++ complete.html 2013-11-25 18:38:37 UTC (rev 8313)
@@ -298,7 +298,7 @@
<header class=head id=head><p><a href=http://www.whatwg.org/ class=logo><img width=101 src=/images/logo alt=WHATWG height=101></a></p>
<hgroup><h1 class=allcaps>HTML</h1>
- <h2 class="no-num no-toc">Living Standard — Last Updated 22 November 2013</h2>
+ <h2 class="no-num no-toc">Living Standard — Last Updated 25 November 2013</h2>
</hgroup><dl><dt><strong>Web developer edition:</strong></dt>
<dd><strong><a href=http://developers.whatwg.org/>http://developers.whatwg.org/</a></strong></dd>
<dt>Multiple-page version:</dt>
@@ -52162,32 +52162,27 @@
<h5 id=restrictions-for-contents-of-script-elements><span class=secno>4.12.1.2 </span><dfn title="script content restrictions">Restrictions for contents of <code>script</code> elements</dfn></h5>
+<!--CLEANUP-->
<p class=note>The easiest and safest way to avoid the rather strange restrictions described in
- this section is to always escape "<code title=""><!--</code>" as "<code title=""><\!--</code>", "<code title=""><script</code>" as "<code title=""><\script</code>", and "<code title=""></script</code>" as "<code title=""><\/script</code>" when these sequences appear in scripts (e.g. in strings or in
- comments). Doing so avoids the pitfalls that the restrictions in this section are prone to
+ this section is to always escape "<code title=""><!--</code>" as "<code title=""><\!--</code>", "<code title=""><script</code>" as "<code title=""><\script</code>", and "<code title=""></script</code>" as "<code title=""><\/script</code>" when these sequences appear in literals in scripts (e.g. in strings, regular expressions, or
+ comments), and to avoid writing code that uses such constructs in expressions. Doing so avoids the pitfalls that the restrictions in this section are prone to
triggering: namely, that, for historical reasons, parsing of <code><a href=#the-script-element>script</a></code> blocks in HTML is
- a strange and exotic practice that acts unintuitively in the face of these strings.</p>
+ a strange and exotic practice that acts unintuitively in the face of these sequences.</p>
<p>The <code><a href=#textcontent>textContent</a></code> of a <code><a href=#the-script-element>script</a></code> element must match the <code title="">script</code> production in the following ABNF, the character set for which is Unicode.
<a href=#refsABNF>[ABNF]</a></p>
- <pre>script = data1 *( "<!--" data2 *( script-start data3 script-end data2 ) "-->" data1 )
+ <pre>script = outer *( comment-open inner comment-close outer )
-data1 = < any string that doesn't contain a substring that matches not-data1 >
-not-data1 = <!-- script-end / -->"<!--" <!-- the script-end is redundant here since it would close the element -->
+outer = < any string that doesn't contain a substring that matches not-in-outer >
+not-in-outer = comment-open
+inner = < any string that doesn't contain a substring that matches not-in-inner >
+not-in-inner = comment-close / script-open
-data2 = < any string that doesn't contain a substring that matches not-data2 >
-not-data2 = <!-- script-end / -->script-start / "-->" <!-- the script-end is redundant here since it would close the element -->
+comment-open = "<!--"
+comment-close = "-->"
+script-open = "<" s c r i p t tag-end
-data3 = < any string that doesn't contain a substring that matches not-data3 >
-not-data3 = script-end / "-->"
-
-script-start = lt s c r i p t tag-end
-script-end = lt slash s c r i p t tag-end
-
-lt = %x003C ; U+003C LESS-THAN SIGN character (<)
-slash = %x002F ; U+002F SOLIDUS character (/)
-
s = %x0053 ; U+0053 LATIN CAPITAL LETTER S
s =/ %x0073 ; U+0073 LATIN SMALL LETTER S
c = %x0043 ; U+0043 LATIN CAPITAL LETTER C
@@ -52258,6 +52253,24 @@
... // this is a new script block
</mark></script></pre>
+ <p>It is possible for these sequences to naturally occur in script expressions, as in the
+ following examples:</p>
+
+ <pre>if (x<!--y) { ... }
+if ( player<script ) { ... }</pre>
+
+ <p>In such cases the characters cannot be escaped, but the expressions can be rewritten so that
+ the sequences don't occur, as in:</p>
+
+ <pre>if (x < !--y) { ... }
+if (!--y > x) { ... }
+if (!(--y) > x) { ... }
+if (player < script) { ... }
+if (script > player) { ... }</pre>
+
+ <p>Doing this also avoids a different pitfall as well: for related historical reasons, the string
+ "<!--" in JavaScript is actually treated as a line comment start, just like "//".</p>
+
</div>
Modified: index
===================================================================
--- index 2013-11-22 20:38:35 UTC (rev 8312)
+++ index 2013-11-25 18:38:37 UTC (rev 8313)
@@ -298,7 +298,7 @@
<header class=head id=head><p><a href=http://www.whatwg.org/ class=logo><img width=101 src=/images/logo alt=WHATWG height=101></a></p>
<hgroup><h1 class=allcaps>HTML</h1>
- <h2 class="no-num no-toc">Living Standard — Last Updated 22 November 2013</h2>
+ <h2 class="no-num no-toc">Living Standard — Last Updated 25 November 2013</h2>
</hgroup><dl><dt><strong>Web developer edition:</strong></dt>
<dd><strong><a href=http://developers.whatwg.org/>http://developers.whatwg.org/</a></strong></dd>
<dt>Multiple-page version:</dt>
@@ -52162,32 +52162,27 @@
<h5 id=restrictions-for-contents-of-script-elements><span class=secno>4.12.1.2 </span><dfn title="script content restrictions">Restrictions for contents of <code>script</code> elements</dfn></h5>
+<!--CLEANUP-->
<p class=note>The easiest and safest way to avoid the rather strange restrictions described in
- this section is to always escape "<code title=""><!--</code>" as "<code title=""><\!--</code>", "<code title=""><script</code>" as "<code title=""><\script</code>", and "<code title=""></script</code>" as "<code title=""><\/script</code>" when these sequences appear in scripts (e.g. in strings or in
- comments). Doing so avoids the pitfalls that the restrictions in this section are prone to
+ this section is to always escape "<code title=""><!--</code>" as "<code title=""><\!--</code>", "<code title=""><script</code>" as "<code title=""><\script</code>", and "<code title=""></script</code>" as "<code title=""><\/script</code>" when these sequences appear in literals in scripts (e.g. in strings, regular expressions, or
+ comments), and to avoid writing code that uses such constructs in expressions. Doing so avoids the pitfalls that the restrictions in this section are prone to
triggering: namely, that, for historical reasons, parsing of <code><a href=#the-script-element>script</a></code> blocks in HTML is
- a strange and exotic practice that acts unintuitively in the face of these strings.</p>
+ a strange and exotic practice that acts unintuitively in the face of these sequences.</p>
<p>The <code><a href=#textcontent>textContent</a></code> of a <code><a href=#the-script-element>script</a></code> element must match the <code title="">script</code> production in the following ABNF, the character set for which is Unicode.
<a href=#refsABNF>[ABNF]</a></p>
- <pre>script = data1 *( "<!--" data2 *( script-start data3 script-end data2 ) "-->" data1 )
+ <pre>script = outer *( comment-open inner comment-close outer )
-data1 = < any string that doesn't contain a substring that matches not-data1 >
-not-data1 = <!-- script-end / -->"<!--" <!-- the script-end is redundant here since it would close the element -->
+outer = < any string that doesn't contain a substring that matches not-in-outer >
+not-in-outer = comment-open
+inner = < any string that doesn't contain a substring that matches not-in-inner >
+not-in-inner = comment-close / script-open
-data2 = < any string that doesn't contain a substring that matches not-data2 >
-not-data2 = <!-- script-end / -->script-start / "-->" <!-- the script-end is redundant here since it would close the element -->
+comment-open = "<!--"
+comment-close = "-->"
+script-open = "<" s c r i p t tag-end
-data3 = < any string that doesn't contain a substring that matches not-data3 >
-not-data3 = script-end / "-->"
-
-script-start = lt s c r i p t tag-end
-script-end = lt slash s c r i p t tag-end
-
-lt = %x003C ; U+003C LESS-THAN SIGN character (<)
-slash = %x002F ; U+002F SOLIDUS character (/)
-
s = %x0053 ; U+0053 LATIN CAPITAL LETTER S
s =/ %x0073 ; U+0073 LATIN SMALL LETTER S
c = %x0043 ; U+0043 LATIN CAPITAL LETTER C
@@ -52258,6 +52253,24 @@
... // this is a new script block
</mark></script></pre>
+ <p>It is possible for these sequences to naturally occur in script expressions, as in the
+ following examples:</p>
+
+ <pre>if (x<!--y) { ... }
+if ( player<script ) { ... }</pre>
+
+ <p>In such cases the characters cannot be escaped, but the expressions can be rewritten so that
+ the sequences don't occur, as in:</p>
+
+ <pre>if (x < !--y) { ... }
+if (!--y > x) { ... }
+if (!(--y) > x) { ... }
+if (player < script) { ... }
+if (script > player) { ... }</pre>
+
+ <p>Doing this also avoids a different pitfall as well: for related historical reasons, the string
+ "<!--" in JavaScript is actually treated as a line comment start, just like "//".</p>
+
</div>
Modified: source
===================================================================
--- source 2013-11-22 20:38:35 UTC (rev 8312)
+++ source 2013-11-25 18:38:37 UTC (rev 8313)
@@ -57632,36 +57632,31 @@
<h5><dfn data-x="script content restrictions">Restrictions for contents of <code>script</code> elements</dfn></h5>
+<!--CLEANUP-->
<p class="note">The easiest and safest way to avoid the rather strange restrictions described in
this section is to always escape "<code data-x=""><!--</code>" as "<code
data-x=""><\!--</code>", "<code data-x=""><script</code>" as "<code
data-x=""><\script</code>", and "<code data-x=""></script</code>" as "<code
- data-x=""><\/script</code>" when these sequences appear in scripts (e.g. in strings or in
- comments). Doing so avoids the pitfalls that the restrictions in this section are prone to
+ data-x=""><\/script</code>" when these sequences appear in literals in scripts (e.g. in strings, regular expressions, or
+ comments), and to avoid writing code that uses such constructs in expressions. Doing so avoids the pitfalls that the restrictions in this section are prone to
triggering: namely, that, for historical reasons, parsing of <code>script</code> blocks in HTML is
- a strange and exotic practice that acts unintuitively in the face of these strings.</p>
+ a strange and exotic practice that acts unintuitively in the face of these sequences.</p>
<p>The <code>textContent</code> of a <code>script</code> element must match the <code
data-x="">script</code> production in the following ABNF, the character set for which is Unicode.
<a href="#refsABNF">[ABNF]</a></p>
- <pre>script = data1 *( "<!--" data2 *( script-start data3 script-end data2 ) "-->" data1 )
+ <pre>script = outer *( comment-open inner comment-close outer )
-data1 = < any string that doesn't contain a substring that matches not-data1 >
-not-data1 = <!-- script-end / -->"<!--" <!-- the script-end is redundant here since it would close the element -->
+outer = < any string that doesn't contain a substring that matches not-in-outer >
+not-in-outer = comment-open
+inner = < any string that doesn't contain a substring that matches not-in-inner >
+not-in-inner = comment-close / script-open
-data2 = < any string that doesn't contain a substring that matches not-data2 >
-not-data2 = <!-- script-end / -->script-start / "-->" <!-- the script-end is redundant here since it would close the element -->
+comment-open = "<!--"
+comment-close = "-->"
+script-open = "<" s c r i p t tag-end
-data3 = < any string that doesn't contain a substring that matches not-data3 >
-not-data3 = script-end / "-->"
-
-script-start = lt s c r i p t tag-end
-script-end = lt slash s c r i p t tag-end
-
-lt = %x003C ; U+003C LESS-THAN SIGN character (<)
-slash = %x002F ; U+002F SOLIDUS character (/)
-
s = %x0053 ; U+0053 LATIN CAPITAL LETTER S
s =/ %x0073 ; U+0073 LATIN SMALL LETTER S
c = %x0043 ; U+0043 LATIN CAPITAL LETTER C
@@ -57733,6 +57728,24 @@
... // this is a new script block
</mark></script></pre>
+ <p>It is possible for these sequences to naturally occur in script expressions, as in the
+ following examples:</p>
+
+ <pre>if (x<!--y) { ... }
+if ( player<script ) { ... }</pre>
+
+ <p>In such cases the characters cannot be escaped, but the expressions can be rewritten so that
+ the sequences don't occur, as in:</p>
+
+ <pre>if (x < !--y) { ... }
+if (!--y > x) { ... }
+if (!(--y) > x) { ... }
+if (player < script) { ... }
+if (script > player) { ... }</pre>
+
+ <p>Doing this also avoids a different pitfall as well: for related historical reasons, the string
+ "<!--" in JavaScript is actually treated as a line comment start, just like "//".</p>
+
</div>
More information about the Commit-Watchers
mailing list