[whatwg] Allowing ">" in attribute values
Boris Zbarsky
bzbarsky at MIT.EDU
Tue Jun 29 07:01:07 PDT 2010
On 6/29/10 5:56 AM, Skrol29 wrote:
>> It seems like what you want here is for browsers to parse as they
>> do now, but a particular subset of browser-accepted syntax to be
>> enshrined so that when defining your restrictions over content you
>> control you can just say "follow the spec" instead of "follow the
>> spec and don't put '>' in attribute values", right?
>
> That is not the idea. I'll try to explain deeper.
OK.
> But parsing could be faster and more secure for all purposes
> (I mean not only for browsers) if">" is forbidden and to be replaced
> with">".
But existing content out there uses '>' in attribute values and isn't
going to stop doing so. Which means that you can't _forbid_ HTML
parsers allowing '>' in attribute values. In particular browser parsers
will continue to allow it, period.
Are we agreed so far?
> Why changing the HTML spec instead of adding a restriction when we
> want ">" to be forbidden ? Because I think we should all want">" to
> be forbidden.
Well... But we don't, in fact. We certainly don't want to forbid
consumers to consume it. So we're talking about a requirement on
producers only, and then the question is what the benefit of the
requirement is (compared to the drawback of making various existing and
future content that would otherwise be just fine non-conforming).
> I understand that browser developers are not feeling concerned by
> this because parsing is working well as is for them.
It's more than that. Browser developers (and anyone else who needs to
be able to accept HTML from people they don't have control over) needs
to have the current parsing behavior, period. Anything else just gives
you a broken parser.
So given that, how was my characterization of my suggestion incorrect?
Was the "for browsers" part incorrect? Or the "particular-subset" part?
Or something else?
-Boris
More information about the whatwg
mailing list