Description
http://code.google.com/p/html5lib/issues/detail?id=92
Reported by zcorpan, Feb 27, 2009
What steps will reproduce the problem?
Input:<br title=><xmp>><script>alert(1)</script></xmp>
Serialization options: omit quotes.What is the expected output?
Attribute values with ` in them should be quoted even with the omit quotes
setting.What do you see instead?
Quotes are omitted and hence, the script is run in IE.
Feb 27, 2009 t.broyer
IIRC, the spec says a ` is allowed in an unquoted attribute value:
http://www.whatwg.org/specs/web-apps/current-work/multipage/syntax.html#attributesShould the spec be changed? should we rather add a new option to the serializer?
Mar 10, 2009 sad.neko
I'm sorry, but i couldn't find ` to be allowed in unquoted attribute values in html5
neither in html4. Am i missing something?
Sep 4, 2009 Simetrical
The requirements that comment 2 links to say unquoted attributes "must not contain any literal space characters, any U+0022 QUOTATION MARK (") characters, U+0027 APOSTROPHE (') characters, U+003D EQUALS SIGN (=) characters, U+003C LESS-THAN SIGN (<) characters, or U+003E GREATER-THAN SIGN (>) characters, and must not be the empty string." There are no other constraints that don't apply to quoted attributes as well.
What's the bug here? As far as I can tell from reading the spec, the given text
should parse as
<br title=""><xmp>><script>alert(1)</script></xmp>and conformant browsers should run the script.
Sep 6, 2009 zcorpan
No, because xmp is a RAWTEXT element. So it's equivalent to the following XML
<br title=""/><xmp>><script>alert(1)</script></xmp>but in IE it's equivalent to the following XML
<br title="><xmp>"/><script>alert(1)</script><xmp/>(I think a stray </xmp> tag will result in an empty element in IE, but I could
remember incorrectly; anyway that's besides the point.)
Oct 18, 2009 geoffers
` is now non-conforming at the start of an unquoted attribute.
Related to #11.