[html5] r4704 - [e] (0) Add an example of escaped ampersands in URLs in sandbox=''. Fixing http: [...]

whatwg at whatwg.org whatwg at whatwg.org
Sat Feb 13 04:44:45 PST 2010 

Author: ianh
Date: 2010-02-13 04:44:43 -0800 (Sat, 13 Feb 2010)
New Revision: 4704

Modified:
   complete.html
   index
   source
Log:
[e] (0) Add an example of escaped ampersands in URLs in sandbox=''.
Fixing http://www.w3.org/Bugs/Public/show_bug.cgi?id=8806

Modified: complete.html
===================================================================
--- complete.html	2010-02-13 12:33:15 UTC (rev 4703)
+++ complete.html	2010-02-13 12:44:43 UTC (rev 4704)
@@ -19839,7 +19839,7 @@
  </article>
  <article>
   <footer> At <time pubdate>2009-08-21T23:44Z</time>, <a href="/users/cap">cap</a> writes: </footer>
-  <iframe seamless sandbox="allow-same-origin" srcdoc="<p>Yeah, you can see it <a href=&quot;/gallery/cover/1&quot;>in my gallery</a>."></iframe>
+  <iframe seamless sandbox="allow-same-origin" srcdoc="<p>Yeah, you can see it <a href=&quot;/gallery?mode=cover&amp;amp;page=1&quot;>in my gallery</a>."></iframe>
  </article>
  <article>
   <footer> At <time pubdate>2009-08-21T23:58Z</time>, <a href="/users/ch">ch</a> writes: </footer>
@@ -19847,6 +19847,15 @@
 <p>you should get earl&amp;amp;me on the next cover."></iframe>
  </article></pre>
 
+   <p>Notice the way that quotes have to be escaped (otherwise the
+   <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute would
+   end prematurely), and the way raw ampersands (e.g. in URLs or in
+   prose) mentioned in the sandboxed content have to be
+   <em>doubly</em> escaped — once so that the ampersand is
+   preserved when originally parsing the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute, and once more
+   to prevent the ampersand from being misinterpreted when parsing the
+   sandboxed content.</p>
+
   </div>
 
   <p class=note>In <a href=#syntax>the HTML syntax</a>, authors need only

Modified: index
===================================================================
--- index	2010-02-13 12:33:15 UTC (rev 4703)
+++ index	2010-02-13 12:44:43 UTC (rev 4704)
@@ -19738,7 +19738,7 @@
  </article>
  <article>
   <footer> At <time pubdate>2009-08-21T23:44Z</time>, <a href="/users/cap">cap</a> writes: </footer>
-  <iframe seamless sandbox="allow-same-origin" srcdoc="<p>Yeah, you can see it <a href=&quot;/gallery/cover/1&quot;>in my gallery</a>."></iframe>
+  <iframe seamless sandbox="allow-same-origin" srcdoc="<p>Yeah, you can see it <a href=&quot;/gallery?mode=cover&amp;amp;page=1&quot;>in my gallery</a>."></iframe>
  </article>
  <article>
   <footer> At <time pubdate>2009-08-21T23:58Z</time>, <a href="/users/ch">ch</a> writes: </footer>
@@ -19746,6 +19746,15 @@
 <p>you should get earl&amp;amp;me on the next cover."></iframe>
  </article></pre>
 
+   <p>Notice the way that quotes have to be escaped (otherwise the
+   <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute would
+   end prematurely), and the way raw ampersands (e.g. in URLs or in
+   prose) mentioned in the sandboxed content have to be
+   <em>doubly</em> escaped — once so that the ampersand is
+   preserved when originally parsing the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute, and once more
+   to prevent the ampersand from being misinterpreted when parsing the
+   sandboxed content.</p>
+
   </div>
 
   <p class=note>In <a href=#syntax>the HTML syntax</a>, authors need only

Modified: source
===================================================================
--- source	2010-02-13 12:33:15 UTC (rev 4703)
+++ source	2010-02-13 12:44:43 UTC (rev 4704)
@@ -21070,7 +21070,7 @@
  </article>
  <article>
   <footer> At <time pubdate>2009-08-21T23:44Z</time>, <a href="/users/cap">cap</a> writes: </footer>
-  <iframe seamless sandbox="allow-same-origin" srcdoc="<p>Yeah, you can see it <a href=&quot;/gallery/cover/1&quot;>in my gallery</a>."></iframe>
+  <iframe seamless sandbox="allow-same-origin" srcdoc="<p>Yeah, you can see it <a href=&quot;/gallery?mode=cover&amp;amp;page=1&quot;>in my gallery</a>."></iframe>
  </article>
  <article>
   <footer> At <time pubdate>2009-08-21T23:58Z</time>, <a href="/users/ch">ch</a> writes: </footer>
@@ -21078,6 +21078,16 @@
 <p>you should get earl&amp;amp;me on the next cover."></iframe>
  </article></pre>
 
+   <p>Notice the way that quotes have to be escaped (otherwise the
+   <code title="attr-iframe-sandbox">sandbox</code> attribute would
+   end prematurely), and the way raw ampersands (e.g. in URLs or in
+   prose) mentioned in the sandboxed content have to be
+   <em>doubly</em> escaped — once so that the ampersand is
+   preserved when originally parsing the <code
+   title="attr-iframe-sandbox">sandbox</code> attribute, and once more
+   to prevent the ampersand from being misinterpreted when parsing the
+   sandboxed content.</p>
+
   </div>
 
   <p class="note">In <span>the HTML syntax</span>, authors need only

More information about the Commit-Watchers mailing list