<p>One advantage is almost the same as your footnote: JavaScript source is permitted in the values of many attributes, and can certainly contain the > operator. </p>
<p>On Jun 25, 2010 12:34 PM, "Benjamin M. Schwartz" <<a href="mailto:bmschwar@fas.harvard.edu">bmschwar@fas.harvard.edu</a>> wrote:<br type="attribution">> On 06/25/2010 11:50 AM, Boris Zbarsky wrote:<br>
>> It seems like what you want here is for browsers to parse as they do<br>>> now, but a particular subset of browser-accepted syntax to be enshrined<br>>> so that when defining your restrictions over content you control you can<br>
>> just say "follow the spec" instead of "follow the spec and don't put '>'<br>>> in attribute values", right?<br>> <br>> That's more or less how I feel. The spec places requirements on how "user<br>
> agents, data mining tools, and conformance checkers" must handle<br>> non-conforming input, but there are many other things in the world that<br>> process HTML. In other applications, it may be acceptable to have<br>
> undefined behavior on non-conforming input, like in ISO C.<br>> <br>> HTML5 has a very clear specification of conformance, and a validator is<br>> widely available. If I build a tool that guarantees correct behavior only<br>
> on conforming inputs, then users can easily check their documents for<br>> conformance before using my tool. If my tool has additional restrictions,<br>> then I need to write my own validator, and answer a lot of questions.<br>
> <br>> I was inspired to suggest this restriction after using mod_layout for<br>> Apache, which inserts a banner at the top of a page. It works by doing a<br>> wildcard search for "<body*>". There are a number of obvious ways to<br>
> break this [1]; one of them is by having ">" in an attribute value. I'm<br>> sure there are many thousands of such programs around the world.<br>> <br>> It sounds like most experts here would prefer to allow ">" in attribute<br>
> values in conforming documents, and that's fine. I don't fully understand<br>> the advantage, but I won't argue against consensus.<br>> <br>> --Ben<br>> <br>> [1] A javascript line like "width<bodywidth && height>bodyheight" would<br>
> also break it, as would an appropriately constructed comment. It might be<br>> possible to construct a regexp for this that functions correctly on all<br>> conformant HTML5 documents. Such a regexp would be considerably simpler<br>
> if ">" were disallowed in attribute values.<br>> <br></p>