[html5] r8236 - [e] (0) Add a related way to escape scripts. Fixing https://www.w3.org/Bugs/Publ [...]
whatwg at whatwg.org
whatwg at whatwg.org
Tue Oct 22 14:37:45 PDT 2013
Author: ianh
Date: 2013-10-22 14:37:35 -0700 (Tue, 22 Oct 2013)
New Revision: 8236
Modified:
complete.html
index
source
Log:
[e] (0) Add a related way to escape scripts.
Fixing https://www.w3.org/Bugs/Public/show_bug.cgi?id=23590
Affected topics: HTML
Modified: complete.html
===================================================================
--- complete.html 2013-10-22 18:15:24 UTC (rev 8235)
+++ complete.html 2013-10-22 21:37:35 UTC (rev 8236)
@@ -52055,9 +52055,12 @@
<h5 id=restrictions-for-contents-of-script-elements><span class=secno>4.12.1.2 </span><dfn title="script content restrictions">Restrictions for contents of <code>script</code> elements</dfn></h5>
+<!--CLEANUP-->
+
<p class=note>The easiest and safest way to avoid the rather strange restrictions described in
this section is to always escape "<code title=""><!--</code>" as "<code title=""><\!--</code>", "<code title=""><script</code>" as "<code title=""><\script</code>", and "<code title=""></script</code>" as "<code title=""><\/script</code>" when these sequences appear in scripts (e.g. in strings or in
- comments). Doing so avoids the pitfalls that the restrictions in this section are prone to
+ comments). Alternatively, always replace "<code><</code>" characters in strings and comments in
+ <code><a href=#the-script-element>script</a></code> blocks as "\u003C". Doing either of these avoids the pitfalls that the restrictions in this section are prone to
triggering: namely, that, for historical reasons, parsing of <code><a href=#the-script-element>script</a></code> blocks in HTML is
a strange and exotic practice that acts unintuitively in the face of these strings.</p>
Modified: index
===================================================================
--- index 2013-10-22 18:15:24 UTC (rev 8235)
+++ index 2013-10-22 21:37:35 UTC (rev 8236)
@@ -52055,9 +52055,12 @@
<h5 id=restrictions-for-contents-of-script-elements><span class=secno>4.12.1.2 </span><dfn title="script content restrictions">Restrictions for contents of <code>script</code> elements</dfn></h5>
+<!--CLEANUP-->
+
<p class=note>The easiest and safest way to avoid the rather strange restrictions described in
this section is to always escape "<code title=""><!--</code>" as "<code title=""><\!--</code>", "<code title=""><script</code>" as "<code title=""><\script</code>", and "<code title=""></script</code>" as "<code title=""><\/script</code>" when these sequences appear in scripts (e.g. in strings or in
- comments). Doing so avoids the pitfalls that the restrictions in this section are prone to
+ comments). Alternatively, always replace "<code><</code>" characters in strings and comments in
+ <code><a href=#the-script-element>script</a></code> blocks as "\u003C". Doing either of these avoids the pitfalls that the restrictions in this section are prone to
triggering: namely, that, for historical reasons, parsing of <code><a href=#the-script-element>script</a></code> blocks in HTML is
a strange and exotic practice that acts unintuitively in the face of these strings.</p>
Modified: source
===================================================================
--- source 2013-10-22 18:15:24 UTC (rev 8235)
+++ source 2013-10-22 21:37:35 UTC (rev 8236)
@@ -57552,12 +57552,15 @@
<h5><dfn data-x="script content restrictions">Restrictions for contents of <code>script</code> elements</dfn></h5>
+<!--CLEANUP-->
+
<p class="note">The easiest and safest way to avoid the rather strange restrictions described in
this section is to always escape "<code data-x=""><!--</code>" as "<code
data-x=""><\!--</code>", "<code data-x=""><script</code>" as "<code
data-x=""><\script</code>", and "<code data-x=""></script</code>" as "<code
data-x=""><\/script</code>" when these sequences appear in scripts (e.g. in strings or in
- comments). Doing so avoids the pitfalls that the restrictions in this section are prone to
+ comments). Alternatively, always replace "<code><</code>" characters in strings and comments in
+ <code>script</code> blocks as "\u003C". Doing either of these avoids the pitfalls that the restrictions in this section are prone to
triggering: namely, that, for historical reasons, parsing of <code>script</code> blocks in HTML is
a strange and exotic practice that acts unintuitively in the face of these strings.</p>
More information about the Commit-Watchers
mailing list