|

»

w3.org - public-qt-comments

[Bug 8206] New: Serialization requires no escaping of < in URI attribute with XHTML

View: New views

3 Messages — Rating Filter: Alert me

	[Bug 8206] New: Serialization requires no escaping of < in URI attribute with XHTML by Bugzilla from bugzilla@wiggum.w3.org :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message http://www.w3.org/Bugs/Public/show_bug.cgi?id=8206 Summary: Serialization requires no escaping of < in URI attribute with XHTML Product: XPath / XQuery / XSLT Version: Recommendation Platform: PC URL: http://www.w3.org/TR/2007/REC-xslt-xquery-serialization- 20070123/#serphases OS/Version: Windows XP Status: NEW Severity: normal Priority: P2 Component: Serialization AssignedTo: zongaro@... ReportedBy: zongaro@... QAContact: public-qt-comments@... A colleague pointed out this problem in the "Character Expansion" step of the phases of serialization.[1] Suppose the output method is XHTML and the escape-uri-attributes serialization parameter has the value "yes". For any URI attribute, step 3a. requires URI escaping to be applied and that steps 3b. through 3e. be skipped. The URI escaping is described in three steps: i) Unicode normalization; ii) percent encoding as described for fn:escape-html-uri; and iii) escaping "according to HTML rules any characters (such as < and &) where HTML requires escaping. For example, replace < with <." For other attributes, step 3e. would cause a less than to be replaced with < or an equivalent character reference. It's not clear which HTML rules apply here - those of the various HTML recommendations, those of the HTML output method or both. If this was a reference to the rules of the HTML output method, alone or together with the requirements of the relevant HTML recommendation, it must be noted that section 7.2 of serialization actually prohibits a less than character from being escaped.[2] It states, "The HTML output method MUST NOT escape "<" characters occurring in attribute values." [1] http://www.w3.org/TR/2007/REC-xslt-xquery-serialization-20070123/#serphases [2] http://www.w3.org/TR/2007/REC-xslt-xquery-serialization-20070123/#HTML_ATTRIBS -- Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug.
	[Bug 8206] [Ser] Serialization requires no escaping of < in URI attribute with XHTML by Bugzilla from bugzilla@wiggum.w3.org :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message http://www.w3.org/Bugs/Public/show_bug.cgi?id=8206 Henry Zongaro <zongaro@...> changed: What \|Removed \|Added ---------------------------------------------------------------------------- Severity\|normal \|trivial Priority\|P2 \|P5 --- Comment #1 from Henry Zongaro <zongaro@...> 2009-11-12 16:58:12 --- I've reduced the priority/severity to mark this as an editorial issue. I don't believe there's any doubt about the intent - that the XHTML output method should be able to escape less than characters that appear in any attribute value. I propose the following change: . In Section 4, bullet 3.a.iii, change "escape according to HTML rules" to "escape according to XML or HTML rules, as determined by the applicable output method, " -- Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug.
	[Bug 8206] [Ser] Serialization requires no escaping of < in URI attribute with XHTML by Bugzilla from bugzilla@wiggum.w3.org :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message http://www.w3.org/Bugs/Public/show_bug.cgi?id=8206 Henry Zongaro <zongaro@...> changed: What \|Removed \|Added ---------------------------------------------------------------------------- Status\|NEW \|ASSIGNED --- Comment #2 from Henry Zongaro <zongaro@...> 2009-11-26 20:54:33 --- At its call of 2009-11-12,[3] the XSL WG observed that the response proposed in comment #1 did not address the question of whether "HTML rules" referred to the rules of the HTML output method or the rules of one of the HTML Recommendations. The consensus was that this referred to the rules of the output method. The following changes were proposed and accepted during the call: . In Section 4, bullet 3.a.iii, change "escape according to HTML rules any characters (such as < and &) where HTML requires escaping" to "escape according to the rules of the XML or HTML output method, whichever is applicable, any characters that require escaping" . In Section 4, bullet 3.e, change "escape according to XML or HTML rules" to "escape according to the rules of the XML or HTML output method, whichever is applicable," Ratification of this decision by the XQuery Working Group is pending. [3] http://lists.w3.org/Archives/Member/w3c-xsl-wg/2009Nov/0028.html -- Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug.