[whatwg] E4X and attribute values

[liorean]

On 1/16/07, Henri Sivonen <hsivonen at iki.fi> wrote:
> Is E4X allowed in event handler attribute values and in javascript:
> URIs? If yes, how can a UA know whether the E4X parse mode should be
> used?

For javascript: URIs I guess the mode depends on the UA default. If
E4X is enabled in the default, I cannot see any reason you'd want to
disallow it in javascript: URIs. If you do, you prevent for example
bookmarklets from ever using E4X, unless you want to introduce a
separate URI scheme such as javascript-e4x: for that purpose.

> (It seems to me that it would make sense not to allow E4X in those
> cases and require the script snippets to call into E4X scripts
> included using the <script> element. But I don't really know what
> Firefox does here.)

I can't really see a reason not to allow E4X in event handler
attributes if it's enabled in function bodies assigned through DOM0 or
DOM2Events with the default script settings in the UA. Things such as
escaping already have to be taken care of in the appropriate language
nesting order by authors, so no more weight are put on them than if
you disallow it. It seems to me as if the event handler attributes are
parsed as a FunctionBody for a named function "anonymous" taking a
single argument "event", starting in the InputRegExp scanner state
like for any other FunctionBody production. So I doubt it makes much
difference for the scripting engine either way.
-- 
David "liorean" Andersson