A user account is required in order to edit this wiki, but we've had to disable public user registrations due to spam.

To request an account, ask an autoconfirmed user on Chat (such as one of these permanent autoconfirmed members).

CDATA Escapes: Difference between revisions

From WHATWG Wiki
Jump to navigation Jump to search
(Document requirements)
 
Line 3: Line 3:
===Hard Requirements===
===Hard Requirements===


* It must be possible to have the string "</script>" in a string literal in inline JavaScript without having to use JS-level escapes. (This possibility may be limited to scripts that use the <!-- ... --> "Hide from old browsers" pattern.)
* It must be possible to have the string "</script>" in a string literal in inline JavaScript without having to use JS-level escapes. (This possibility may be limited to scripts that use the <!-- ... --> "Hide from old browsers" pattern.)
* It must be possible to have "<!--" and "-->" in string literals in inline JavaScript without having to use JS-level escapes.
* It must be possible to have "<!--" and "-->" in string literals in inline JavaScript without having to use JS-level escapes.
* Must not rewind and reparse with different rules.
* Must not rewind and reparse with different rules.


===Medium Requirements===
===Medium Requirements===


* It should be possible to have the string <!-- in xmp without having the rest of the page eaten up into xmp element.
* It should be possible to have the string <!-- in xmp without having the rest of the page eaten up into xmp element.
* It should be possible to have <!-- near the start of a script or style element without having a matching --> and still the trailing part of the page shouldn't get eaten up into the script or style element.
* It should be possible to have <!-- near the start of a script or style element without having a matching --> and still the trailing part of the page shouldn't get eaten up into the script or style element.
* Pages authored naively for HTML5-parsing-enabled UAs shouldn't be XSS risks in legacy UAs.
* Pages authored naively for HTML5-parsing-enabled UAs shouldn't be XSS risks in legacy UAs.

Revision as of 10:59, 12 August 2009

Requirements

Hard Requirements

  • It must be possible to have the string "</script>" in a string literal in inline JavaScript without having to use JS-level escapes. (This possibility may be limited to scripts that use the "Hide from old browsers" pattern.)
  • It must be possible to have "" in string literals in inline JavaScript without having to use JS-level escapes.
  • Must not rewind and reparse with different rules.

Medium Requirements

  • It should be possible to have the string and still the trailing part of the page shouldn't get eaten up into the script or style element.
  • Pages authored naively for HTML5-parsing-enabled UAs shouldn't be XSS risks in legacy UAs.