[whatwg] input element's value should not be sanitized during parsing

Mounir Lamouri mounir.lamouri at gmail.com
Mon Sep 20 23:48:16 PDT 2010


Hi,

For a few days, Firefox's nightly had a bug related to value sanitizing
which happens to be a specification bug.
With the current specification, these two elements will not have the
same value:
<input value="foo
bar" type='hidden'>
<input type='hidden' value="foo
bar">
Depending on how the attributes are read, value will be set before or
after type, thus, changing the value sanitization algorithm. So, the
value sanitization algorithm of <input type='text'> will be used for one
of these elements and the value will be "foobar".

The following change would fix that bug:
- The specification should add that the value sanitization algorithm
should not be used during parsing/as long as the element hasn't been
created.
OR
- The specification should add in the set value content attribute
paragraph that the value sanitization algorithm should not be run during
parsing/if the element hasn't been created.

For a specification point of view, both changes would have the same result.

The specifications already require that the value sanitization algorithm
 should be run when the element is "first created".
So, with this change, the element's value will be un-sanitized during
parsing and as soon as the parsing will be done, the element's value
will be sanitized.

By the way, "first created" could probably be changed to a concept from
the specifications. We can guess what that means but there is no strong
notion behind this words AFAIK.

Thanks,
--
Mounir



More information about the whatwg mailing list