NOTE: The current preferred location for bug reports is the GitHub issue tracker.
First Last Prev Next    This bug is not in your last search results.
Bug 109 - Ban attribute names containing single quotes and double quotes, ban unquoted attribute values containing single quotes and double quotes, require spaces between attributes.
Ban attribute names containing single quotes and double quotes, ban unquoted ...
Status: RESOLVED FIXED
Product: Validator.nu
Classification: Unclassified
Component: HTML parser
HEAD
All All
: P2 normal
Assigned To: Henri Sivonen
http://svn.whatwg.org/webapps/source?...
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-03 13:13 CET by Nobody
Modified: 2008-03-13 16:22 CET (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Nobody 2008-03-03 13:13:18 CET 
Index: source
===================================================================
--- source	(revision 1302)
+++ source	(revision 1303)
@@ -34969,13 +34969,14 @@
   <p>Attributes have a name and a value. <dfn
   title="syntax-attribute-name">Attribute names</dfn> must consist of
   one or more characters other than the <span title="space
-  character">space characters</span>, U+003E GREATER-THAN SIGN (&gt;),
-  U+002F SOLIDUS (/), U+003D EQUALS SIGN (=), the U+0000 NULL
-  character, the control characters, and any characters that are not
-  defined by Unicode. In the HTML syntax, attribute names may be
-  written with any mix of lower- and uppercase letters that, when
-  converted to all-lowercase<!-- ASCII case-insensitive -->, matches
-  the attribute's name; attribute names are case-insensitive.</p>
+  character">space characters</span>, U+0000 NULL, U+0022 QUOTATION
+  MARK (&#x22;), U+0027 APOSTROPHE (&#x27;), U+003E GREATER-THAN SIGN
+  (&gt;), U+002F SOLIDUS (/), and U+003D EQUALS SIGN (=) characters,
+  the control characters, and any characters that are not defined by
+  Unicode. In the HTML syntax, attribute names may be written with any
+  mix of lower- and uppercase letters that, when converted to
+  all-lowercase<!-- ASCII case-insensitive -->, matches the
+  attribute's name; attribute names are case-insensitive.</p>
 
   <p><dfn title="syntax-attribute-value">Attribute values</dfn> are a
   mixture of <span title="syntax-text">text</span> and <span
@@ -35023,11 +35024,10 @@
     title="syntax-attribute-value">attribute value</span>, which, in
     addition to the requirements given above for attribute values,
     must not contain any literal <span title="space character">space
-    characters</span>, U+003D EQUALS SIGN (=) characters, or U+003E
-    GREATER-THAN SIGN (<code>&gt;</code>) characters, and must not,
-    furthermore, start with either a literal U+0022 QUOTATION MARK
-    (<code>&#x22;</code>) character or a literal U+0027 APOSTROPHE
-    (<code>&#x27;</code>) character.</p>
+    characters</span>, a U+0022 QUOTATION MARK (<code>&#x22;</code>)
+    characters, U+0027 APOSTROPHE (<code>&#x27;</code>) characters,
+    U+003D EQUALS SIGN (<code>=</code>) characters, or U+003E
+    GREATER-THAN SIGN (<code>&gt;</code>) characters.</p>
 
     <div class="example">
 
@@ -35073,6 +35073,10 @@
 
     </div>
 
+    <p>If an attribute using the single-quoted attribute syntax is to
+    be followed by another attribute, then there must be a <span>space
+    character</span> separating the two.</p>
+
    </dd>
 
    <dt>Double-quoted attribute value syntax</dt>
@@ -35101,6 +35105,10 @@
 
     </div>
 
+    <p>If an attribute using the double-quoted attribute syntax is to
+    be followed by another attribute, then there must be a <span>space
+    character</span> separating the two.</p>
+
    </dd>
 
   </dl>
@@ -36226,6 +36234,10 @@
 
   <p>The tokeniser state machine is as follows:</p>
 
+  <!-- XXX should go through these reordering the entries so that
+  they're in some consistent order, like, by Unicode, errors last, or
+  something -->
+
   <dl>
 
    <dt><dfn>Data state</dfn></dt>
@@ -36528,11 +36540,11 @@
      slash</span>. Stay in the <span>before attribute name
      state</span>.</dd>
 
+     <dt>U+0022 QUOTATION MARK (&quot;)</dt>
+     <dt>U+0027 APOSTROPHE (')</dt>
      <dt>U+003D EQUALS SIGN (=)</dt>
-     <dd><span>Parse error</span>. Start a new attribute in the
-     current tag token. Set that attribute's name to the current input
-     character, and its value to the empty string. Switch to the
-     <span>attribute name state</span>.</dd>
+     <dd><span>Parse error</span>. Treat it as per the "anything else"
+     entry below.</dd>
 
      <dt>EOF</dt>
      <dd><span>Parse error</span>. Emit the current tag
@@ -36583,6 +36595,11 @@
      slash</span>. Switch to the <span>before attribute name
      state</span>.</dd>
 
+     <dt>U+0022 QUOTATION MARK (&quot;)</dt>
+     <dt>U+0027 APOSTROPHE (')</dt>
+     <dd><span>Parse error</span>. Treat it as per the "anything else"
+     entry below.</dd>
+
      <dt>EOF</dt>
      <dd><span>Parse error</span>. Emit the current tag
      token. Reconsume the EOF character in the <span>data
@@ -36685,9 +36702,8 @@
      state</span>.</dd>
 
      <dt>U+003D EQUALS SIGN (=)</dt>
-     <dd><span>Parse error</span>. Append the current input character
-     to the current attribute's value. Switch to the <span>attribute
-     value (unquoted) state</span>.</dd>
+     <dd><span>Parse error</span>. Treat it as per the "anything else"
+     entry below.</dd>
 
      <dt>EOF</dt>
      <dd><span>Parse error</span>. Emit the current tag
@@ -36712,7 +36728,8 @@
     <dl class="switch">
 
      <dt>U+0022 QUOTATION MARK (&quot;)</dt>
-     <dd>Switch to the <span>before attribute name state</span>.</dd>
+     <dd>Switch to the <span>after attribute value (quoted)
+     state</span>.</dd>
 
      <dt>U+0026 AMPERSAND (&amp;)</dt>
      <dd>Switch to the <span>entity in attribute value state</span>,
@@ -36742,7 +36759,8 @@
     <dl class="switch">
 
      <dt>U+0027 APOSTROPHE (')</dt>
-     <dd>Switch to the <span>before attribute name state</span>.</dd>
+     <dd>Switch to the <span>after attribute value (quoted)
+     state</span>.</dd>
 
      <dt>U+0026 AMPERSAND (&amp;)</dt>
      <dd>Switch to the <span>entity in attribute value state</span>,
@@ -36787,10 +36805,11 @@
      <dd>Emit the current tag token. Switch to the <span>data
      state</span>.</dd>
 
+     <dt>U+0022 QUOTATION MARK (&quot;)</dt>
+     <dt>U+0027 APOSTROPHE (')</dt>
      <dt>U+003D EQUALS SIGN (=)</dt>
-     <dd><span>Parse error</span>. Append the current input character
-     to the current attribute's value. Stay in the <span>attribute
-     value (unquoted) state</span>.</dd>
+     <dd><span>Parse error</span>. Treat it as per the "anything else"
+     entry below.</dd>
 
      <dt>EOF</dt>
      <dd><span>Parse error</span>. Emit the current tag
@@ -36823,6 +36842,39 @@
 
    </dd>
 
+   <dt><dfn>After attribute value (quoted) state</dfn></dt>
+
+   <dd>
+
+    <p>Consume the <span>next input character</span>:</p>
+
+    <dl class="switch">
+
+     <dt>U+0009 CHARACTER TABULATION</dt>
+     <dt>U+000A LINE FEED (LF)</dt>
+     <dt>U+000B LINE TABULATION</dt>
+     <dt>U+000C FORM FEED (FF)</dt>
+     <!--<dt>U+000D CARRIAGE RETURN (CR)</dt>-->
+     <dt>U+0020 SPACE</dt>
+     <dd>Switch to the <span>before attribute name state</span>.</dd>
+
+     <dt>U+003E GREATER-THAN SIGN (&gt;)</dt>
+     <dd>Emit the current tag token. Switch to the <span>data
+     state</span>.</dd>
+
+     <dt>U+002F SOLIDUS (/)</dt>
+     <dd><span>Parse error</span> unless this is a <span>permitted
+     slash</span>. Switch to the <span>before attribute name
+     state</span>.</dd>
+
+     <dt>Anything else</dt>
+     <dd><span>Parse error</span>. Reconsume the character in
+     the<span>before attribute name state</span>.</dd>
+
+    </dl>
+
+   </dd>
+
    <dt><dfn>Bogus comment state</dfn></dt>
 
    <dd>
First Last Prev Next    This bug is not in your last search results.