<br><br><div class="gmail_quote">On Wed, May 21, 2008 at 5:30 PM, Ian Hickson <ian@hixie.ch> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I'm thinking of introducing a<br>
new attribute. I haven't worked out what to call it yet, but definitely<br>
not "src", "source", "src2", "content", "value", or "data" -- maybe<br>
"html" or "doc", though neither of those are great. This attribute would<br>
take a string which would then be interpreted as the source document<br>
markup of an HTML document, much like the above; it would override src=""<br>
if it was present, allowing src="" to be used for legacy UAs:<br>
<br>
<iframe seamless sandbox="allow-scripts allow-forms" doc="<br>
<!DOCTYPE HTML><br>
<title></title><br>
Welcome to my blog!<br>
</sandbox><br>
<a href='#' onclick='alert(document.cookie)'>Click here</a><br>
"></iframe><br>
<br>
(There are things we can do to make this better, e.g. make the <!DOCTYPE<br>
HMTL> and <title></title> bits implicit, maybe introducing type="" to say<br>
whether it's HTML or XML instead of only supporting HTML, maybe saying<br>
that if src="" and doc="" are both specified they must have identical<br>
data, etc.)<br>
<br>
Comments and suggestions on this are welcome. I haven't added it to the<br>
spec yet. I do agree that without this or something equivalent that we<br>
don't have a solution for sandboxing embedded blog comments yet.<br>
</blockquote></div>I'm trying to find the part of the spec where this is stated explicitly, but aren't attributes limited to ascii text? If this is intended (among other things) to embed blog comments, this is no good - more than just us English-speakers write comments. Assuming I'm not remembering this whole thing wrong, we either need to require an encoding that can preserve non-ascii text without breaking (essentially, the data URI route), or go another way entirely.<br>
<br>~TJ<br>