[whatwg] E4X and attribute values

liorean liorean at gmail.com
Tue Jan 16 15:05:48 PST 2007


On 1/16/07, Henri Sivonen <hsivonen at iki.fi> wrote:
> On Jan 16, 2007, at 23:02, liorean wrote:
> > I can't really see a reason not to allow E4X in event handler
> > attributes
> My understanding is that E4X parsing is incompatible with normal
> ECMAScript parsing and, therefore, the ECMAScript parser needs to
> know if E4X is to be enabled. Is this incorrect?

Well, that depends on what you mean by "incompatible". I haven't
looked close enough at E4X to say it's fully backwards compatible. It
might be that some in ECMAScript 3 legal productions are illegal or
unreachable in E4X enabled engines. ECMAScript 3 for sure isn't
forward compatible with E4X though.

But asking that question, you should also consider that it might be
the case that ECMAScript 4 will make some ECMAScript 3 legal
productions illegal or unreachable, and there will surely be some
semantical changes. And there is at least one browser supporting
several non-ECMAScript languages for event handler attributes.

If ECMAScript 3 is the only language you want to support in event
handlers, ever, then I think it's reasonable to disallow E4X. But if
you want to allow upgrading ECMAScript 3 to ECMAScript 4, 5, 6 some
day, if you want to allow the possibility of other languages in event
handler attributes, if you want to reduce web developer headaches
keeping multiple similar but slightly incompatible languages in sync
in their sites, I think you need to let UAs use one and the same
default. Sure, you can dictate the default to be ECMAScript 3 without
E4X or just latest ECMAScript version supported by the UA with all
extensions supported by the UA, but I think you need to do it
generally for all script in a document and not have a separate default
for cases such as event handler attribute.


Just for testing in ff2:
    data:text/html,<script>alert('script
'+<test>test</test>);</script><a href="javascript:void alert('uri
'+<test>test</test>)" onclick="alert('event
'+<test>test</test>)">test</a>

This happily alerts "script test", and if you click the link alerts
"event test" and "uri test", and doesn't cause any errors.
-- 
David "liorean" Andersson



More information about the whatwg mailing list