[html5] r8233 - [e] (0) Include more non-normative documentation in the script content restricti [...]

whatwg at whatwg.org whatwg at whatwg.org
Mon Oct 21 15:31:00 PDT 2013 

Author: ianh
Date: 2013-10-21 15:30:53 -0700 (Mon, 21 Oct 2013)
New Revision: 8233

Modified:
   complete.html
   index
   source
Log:
[e] (0) Include more non-normative documentation in the script content restrictions section.
Affected topics: HTML

Modified: complete.html
===================================================================
--- complete.html	2013-10-21 17:10:25 UTC (rev 8232)
+++ complete.html	2013-10-21 22:30:53 UTC (rev 8233)
@@ -52055,6 +52055,12 @@
 
   <h5 id=restrictions-for-contents-of-script-elements><span class=secno>4.12.1.2 </span><dfn title="script content restrictions">Restrictions for contents of <code>script</code> elements</dfn></h5>
 
+  <p class=note>The easiest and safest way to avoid the rather strange restrictions described in
+  this section is to always escape "<code title=""><!--</code>" as "<code title=""><\!--</code>", "<code title=""><script</code>" as "<code title=""><\script</code>", and "<code title=""></script</code>" as "<code title=""><\/script</code>" when these sequences appear in scripts (e.g. in strings or in
+  comments). Doing so avoids the pitfalls that the restrictions in this section are prone to
+  triggering: namely, that, for historical reasons, parsing of <code><a href=#the-script-element>script</a></code> blocks in HTML is
+  a strange and exotic practice that acts unintuitively in the face of these strings.</p>
+
   <p>The <code><a href=#textcontent>textContent</a></code> of a <code><a href=#the-script-element>script</a></code> element must match the <code title="">script</code> production in the following ABNF, the character set for which is Unicode.
   <a href=#refsABNF>[ABNF]</a></p>
 
@@ -52099,7 +52105,56 @@
   <p>When a <code><a href=#the-script-element>script</a></code> element contains <a href=#inline-documentation-for-external-scripts>script documentation</a>, there are
   further restrictions on the contents of the element, as described in the section below.</p>
 
+  <div class=example>
 
+   <p>The following script illustrates this issue. Suppose you have a script that contains a string,
+   as in:</p>
+
+   <pre>var example = 'Consider this string: <!-- <script>';
+console.log(example);</pre>
+
+   <p>If one were to put this string directly in a <code><a href=#the-script-element>script</a></code> block, it would violate the
+   restrictions above:</p>
+
+   <pre><script>
+  var example = 'Consider this string: <!-- <script>';
+  console.log(example);
+</script></pre>
+
+   <p>The bigger problem, though, and the reason why it would violate those restrictions, is that
+   actually the script would get parsed weirdly: <em>the script block above is not terminated</em>.
+   That is, what looks like a "<code title=""></script></code>" end tag in this snippet is
+   actually still part of the <code><a href=#the-script-element>script</a></code> block. The script doesn't execute (since it's not
+   terminated); if it somehow was to execute, as it might if the markup looked as follows, it would
+   fail because the script (highlighted here) is not valid JavaScript:</p>
+
+   <pre><script><mark>
+  var example = 'Consider this string: <!-- <script>';
+  console.log(example);
+</script>
+<!-- despite appearances, this is actually part of the script still! -->
+<script>
+ ... // this is the same script block still...
+</mark></script></pre>
+
+   <p>What is going on here is that for legacy reasons, "<code title=""><!--</code>" and "<code title=""><script</code>" strings in <code><a href=#the-script-element>script</a></code> elements in HTML need to be balanced
+   in order for the parser to consider closing the block.</p>
+
+   <p>By escaping the problematic strings as mentioned at the top of this section, the problem is
+   avoided entirely:</p>
+
+   <pre><script><mark>
+  var example = 'Consider this string: <\!-- <\script>';
+  console.log(example);
+</mark></script>
+<!-- this is just a comment between script blocks -->
+<script><mark>
+ ... // this is a new script block
+</mark></script></pre>
+
+  </div>
+
+
   <h5 id=inline-documentation-for-external-scripts><span class=secno>4.12.1.3 </span><dfn title="script documentation">Inline documentation for external scripts</dfn></h5>
 
   <p>If a <code><a href=#the-script-element>script</a></code> element's <code title=attr-script-src><a href=#attr-script-src>src</a></code> attribute is
@@ -100980,6 +101035,7 @@
   Jacob Davies,
   Jacques Distler,
   Jake Verbaten,
+  Jakub Łopuszański,
   James Craig,
   James Graham,
   James Greene,

Modified: index
===================================================================
--- index	2013-10-21 17:10:25 UTC (rev 8232)
+++ index	2013-10-21 22:30:53 UTC (rev 8233)
@@ -52055,6 +52055,12 @@
 
   <h5 id=restrictions-for-contents-of-script-elements><span class=secno>4.12.1.2 </span><dfn title="script content restrictions">Restrictions for contents of <code>script</code> elements</dfn></h5>
 
+  <p class=note>The easiest and safest way to avoid the rather strange restrictions described in
+  this section is to always escape "<code title=""><!--</code>" as "<code title=""><\!--</code>", "<code title=""><script</code>" as "<code title=""><\script</code>", and "<code title=""></script</code>" as "<code title=""><\/script</code>" when these sequences appear in scripts (e.g. in strings or in
+  comments). Doing so avoids the pitfalls that the restrictions in this section are prone to
+  triggering: namely, that, for historical reasons, parsing of <code><a href=#the-script-element>script</a></code> blocks in HTML is
+  a strange and exotic practice that acts unintuitively in the face of these strings.</p>
+
   <p>The <code><a href=#textcontent>textContent</a></code> of a <code><a href=#the-script-element>script</a></code> element must match the <code title="">script</code> production in the following ABNF, the character set for which is Unicode.
   <a href=#refsABNF>[ABNF]</a></p>
 
@@ -52099,7 +52105,56 @@
   <p>When a <code><a href=#the-script-element>script</a></code> element contains <a href=#inline-documentation-for-external-scripts>script documentation</a>, there are
   further restrictions on the contents of the element, as described in the section below.</p>
 
+  <div class=example>
 
+   <p>The following script illustrates this issue. Suppose you have a script that contains a string,
+   as in:</p>
+
+   <pre>var example = 'Consider this string: <!-- <script>';
+console.log(example);</pre>
+
+   <p>If one were to put this string directly in a <code><a href=#the-script-element>script</a></code> block, it would violate the
+   restrictions above:</p>
+
+   <pre><script>
+  var example = 'Consider this string: <!-- <script>';
+  console.log(example);
+</script></pre>
+
+   <p>The bigger problem, though, and the reason why it would violate those restrictions, is that
+   actually the script would get parsed weirdly: <em>the script block above is not terminated</em>.
+   That is, what looks like a "<code title=""></script></code>" end tag in this snippet is
+   actually still part of the <code><a href=#the-script-element>script</a></code> block. The script doesn't execute (since it's not
+   terminated); if it somehow was to execute, as it might if the markup looked as follows, it would
+   fail because the script (highlighted here) is not valid JavaScript:</p>
+
+   <pre><script><mark>
+  var example = 'Consider this string: <!-- <script>';
+  console.log(example);
+</script>
+<!-- despite appearances, this is actually part of the script still! -->
+<script>
+ ... // this is the same script block still...
+</mark></script></pre>
+
+   <p>What is going on here is that for legacy reasons, "<code title=""><!--</code>" and "<code title=""><script</code>" strings in <code><a href=#the-script-element>script</a></code> elements in HTML need to be balanced
+   in order for the parser to consider closing the block.</p>
+
+   <p>By escaping the problematic strings as mentioned at the top of this section, the problem is
+   avoided entirely:</p>
+
+   <pre><script><mark>
+  var example = 'Consider this string: <\!-- <\script>';
+  console.log(example);
+</mark></script>
+<!-- this is just a comment between script blocks -->
+<script><mark>
+ ... // this is a new script block
+</mark></script></pre>
+
+  </div>
+
+
   <h5 id=inline-documentation-for-external-scripts><span class=secno>4.12.1.3 </span><dfn title="script documentation">Inline documentation for external scripts</dfn></h5>
 
   <p>If a <code><a href=#the-script-element>script</a></code> element's <code title=attr-script-src><a href=#attr-script-src>src</a></code> attribute is
@@ -100980,6 +101035,7 @@
   Jacob Davies,
   Jacques Distler,
   Jake Verbaten,
+  Jakub Łopuszański,
   James Craig,
   James Graham,
   James Greene,

Modified: source
===================================================================
--- source	2013-10-21 17:10:25 UTC (rev 8232)
+++ source	2013-10-21 22:30:53 UTC (rev 8233)
@@ -57552,6 +57552,15 @@
 
   <h5><dfn data-x="script content restrictions">Restrictions for contents of <code>script</code> elements</dfn></h5>
 
+  <p class="note">The easiest and safest way to avoid the rather strange restrictions described in
+  this section is to always escape "<code data-x=""><!--</code>" as "<code
+  data-x=""><\!--</code>", "<code data-x=""><script</code>" as "<code
+  data-x=""><\script</code>", and "<code data-x=""></script</code>" as "<code
+  data-x=""><\/script</code>" when these sequences appear in scripts (e.g. in strings or in
+  comments). Doing so avoids the pitfalls that the restrictions in this section are prone to
+  triggering: namely, that, for historical reasons, parsing of <code>script</code> blocks in HTML is
+  a strange and exotic practice that acts unintuitively in the face of these strings.</p>
+
   <p>The <code>textContent</code> of a <code>script</code> element must match the <code
   data-x="">script</code> production in the following ABNF, the character set for which is Unicode.
   <a href="#refsABNF">[ABNF]</a></p>
@@ -57597,7 +57606,57 @@
   <p>When a <code>script</code> element contains <span>script documentation</span>, there are
   further restrictions on the contents of the element, as described in the section below.</p>
 
+  <div class="example">
 
+   <p>The following script illustrates this issue. Suppose you have a script that contains a string,
+   as in:</p>
+
+   <pre>var example = 'Consider this string: <!-- <script>';
+console.log(example);</pre>
+
+   <p>If one were to put this string directly in a <code>script</code> block, it would violate the
+   restrictions above:</p>
+
+   <pre><script>
+  var example = 'Consider this string: <!-- <script>';
+  console.log(example);
+</script></pre>
+
+   <p>The bigger problem, though, and the reason why it would violate those restrictions, is that
+   actually the script would get parsed weirdly: <em>the script block above is not terminated</em>.
+   That is, what looks like a "<code data-x=""></script></code>" end tag in this snippet is
+   actually still part of the <code>script</code> block. The script doesn't execute (since it's not
+   terminated); if it somehow was to execute, as it might if the markup looked as follows, it would
+   fail because the script (highlighted here) is not valid JavaScript:</p>
+
+   <pre><script><mark>
+  var example = 'Consider this string: <!-- <script>';
+  console.log(example);
+</script>
+<!-- despite appearances, this is actually part of the script still! -->
+<script>
+ ... // this is the same script block still...
+</mark></script></pre>
+
+   <p>What is going on here is that for legacy reasons, "<code data-x=""><!--</code>" and "<code
+   data-x=""><script</code>" strings in <code>script</code> elements in HTML need to be balanced
+   in order for the parser to consider closing the block.</p>
+
+   <p>By escaping the problematic strings as mentioned at the top of this section, the problem is
+   avoided entirely:</p>
+
+   <pre><script><mark>
+  var example = 'Consider this string: <\!-- <\script>';
+  console.log(example);
+</mark></script>
+<!-- this is just a comment between script blocks -->
+<script><mark>
+ ... // this is a new script block
+</mark></script></pre>
+
+  </div>
+
+
   <h5><dfn data-x="script documentation">Inline documentation for external scripts</dfn></h5>
 
   <p>If a <code>script</code> element's <code data-x="attr-script-src">src</code> attribute is
@@ -112862,6 +112921,7 @@
   Jacob Davies,
   Jacques Distler,
   Jake Verbaten,
+  Jakub Łopuszański,
   James Craig,
   James Graham,
   James Greene,

More information about the Commit-Watchers mailing list