Edgewall Software

Ticket #24 (closed defect: fixed)

Opened 9 years ago

Last modified 8 years ago

<script> and <style> element content should not be escaped by HTML serializer

Reported by: cmlenz Owned by: cmlenz
Priority: major Milestone: 0.2
Component: Serialization Version:
Keywords: Cc:

Description (last modified by cmlenz) (diff)

The XHTML serializer should probably continue to escape scripts and styles… however that means that output needs to be sent as application/xhtml+xml to make scripts containing <, > or & characters work.

See also  Kid ticket #99.


Change History

Changed 9 years ago by cmlenz

  • component changed from Parsing to Serialization
  • description modified (diff)
  • summary changed from Handling of CDATA to <script> and <style> element content should not be escaped by HTML serializer

Actually, this isn't about CDATA, but about escaping the contents of <script> and <style> elements.

Not sure whether trying to pass through CDATA sections as such makes sense.

Changed 9 years ago by arnarbi at gmail

Unfortunately, using "application/xhtml+xml" is currently incompatible with IE.

At the least the option of either not escaping inside script/style tags or including CDATA sections as-is (with the CDATA markers) would be nice.

Changed 9 years ago by cmlenz

Passing CDATA sections through doesn't work either when serving as text/html.

What would be needed is something like:

<script type="text/javascript">/*<![CDATA[*/
  var x = 1 < 2;

And that's ignoring pre HTML4 user agents (which would display the contents of the <script> or <style> elements in this case). That can be worked around (see  http://www.hixie.ch/advocacy/xhtml), but I don't particularly care about those browsers myself.

Changed 9 years ago by cmlenz

It just occurred to me that if we passed CDATA sections through and properly serialized them, you could just do the above trick in your template.

Changed 9 years ago by cmlenz

  • status changed from new to closed
  • resolution set to fixed

The fix for HTML output (not escaping) was implemented in [181], the fix for XHTML output (passing through CDATA markers) was implemented in [184].

Add/Change #24 (<script> and <style> element content should not be escaped by HTML serializer)


E-mail address and user name can be saved in the Preferences.

Change Properties
<Author field>
as closed
The resolution will be deleted. Next status will be 'reopened'
Note: See TracTickets for help on using tickets.