Edgewall Software

Opened 12 years ago

Closed 12 years ago

Last modified 12 years ago

#24 closed defect (fixed)

<script> and <style> element content should not be escaped by HTML serializer

Reported by: cmlenz Owned by: cmlenz
Priority: major Milestone: 0.2
Component: Serialization Version:
Keywords: Cc:

Description (last modified by cmlenz)

The XHTML serializer should probably continue to escape scripts and styles… however that means that output needs to be sent as application/xhtml+xml to make scripts containing <, > or & characters work.

See also Kid ticket #99.

Attachments (0)

Change History (5)

comment:1 Changed 12 years ago by cmlenz

  • Component changed from Parsing to Serialization
  • Description modified (diff)
  • Summary changed from Handling of CDATA to <script> and <style> element content should not be escaped by HTML serializer

Actually, this isn't about CDATA, but about escaping the contents of <script> and <style> elements.

Not sure whether trying to pass through CDATA sections as such makes sense.

comment:2 Changed 12 years ago by arnarbi at gmail

Unfortunately, using "application/xhtml+xml" is currently incompatible with IE.

At the least the option of either not escaping inside script/style tags or including CDATA sections as-is (with the CDATA markers) would be nice.

comment:3 Changed 12 years ago by cmlenz

Passing CDATA sections through doesn't work either when serving as text/html.

What would be needed is something like:

<script type="text/javascript">/*<![CDATA[*/
  var x = 1 < 2;

And that's ignoring pre HTML4 user agents (which would display the contents of the <script> or <style> elements in this case). That can be worked around (see http://www.hixie.ch/advocacy/xhtml), but I don't particularly care about those browsers myself.

comment:4 Changed 12 years ago by cmlenz

It just occurred to me that if we passed CDATA sections through and properly serialized them, you could just do the above trick in your template.

comment:5 Changed 12 years ago by cmlenz

  • Resolution set to fixed
  • Status changed from new to closed

The fix for HTML output (not escaping) was implemented in [181], the fix for XHTML output (passing through CDATA markers) was implemented in [184].

Add Comment

Modify Ticket

Change Properties
Set your email in Preferences
as closed The owner will remain cmlenz.
The resolution will be deleted. Next status will be 'reopened'.

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.