Bug 329 – Don't escape '<' and '>' in attribute values, to handle http://www.expedia.com/pub/agent.dll?qscr=cars&itid=&itdx=&itty=&&ploc=&plo2=&flag=&subm=1&tovr=-1294637292&styp=1&locn=Denver&loid=&astr=&acty=&astt=&azip=&date1=10%2F24%2F2008&time1=660&date2=10...

NOTE: The current preferred location for bug reports is the GitHub issue tracker.

Bug 329 - Don't escape '<' and '>' in attribute values, to handle http://www.expedia.com/pub/agent.dll?qscr=cars&itid=&itdx=&itty=&&ploc=&plo2=&flag=&subm=1&tovr=-1294637292&styp=1&locn=Denver&loid=&astr=&acty=&astt=&azip=&date1=10%2F24%2F2008&time1=660&date2=10...


Summary:	Don't escape '<' and '>' in attribute values, to handle http://www.expedia.co...

Status:	NEW

Product:	Validator.nu
Classification:	Unclassified
Component:	HTML parser
Version:	HEAD
Hardware:	All All

Importance:	P2 normal
Assigned To:	Nobody

URL:	http://svn.whatwg.org/webapps/source?...

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2008-11-24 22:01 CET by Henri Sivonen
Modified:	2009-11-23 17:17 CET (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Henri Sivonen 2008-11-24 22:01:19 CET

Index: source
===================================================================
--- source	(revision 2362)
+++ source	(revision 2363)
@@ -56985,14 +56985,15 @@
   purposes of the algorithm above) consists of replacing any
   occurrences of the "<code title="">&amp;</code>" character by the
   string "<code title="">&amp;amp;</code>", any occurrences of the
-  "<code title="">&lt;</code>" character by the string "<code
+  U+00A0 NO-BREAK SPACE character by the string "<code
+  title="">&amp;nbsp;</code>", and, if the algorithm was invoked in
+  the <i>attribute mode</i>, any occurrences of the "<code
+  title="">&quot;</code>" character by the string "<code
+  title="">&amp;quot;</code>", or if it was not, any occurrences of
+  the "<code title="">&lt;</code>" character by the string "<code
   title="">&amp;lt;</code>", any occurrences of the "<code
   title="">&gt;</code>" character by the string "<code
-  title="">&amp;gt;</code>", any occurrences of the U+00A0 NO-BREAK
-  SPACE character by the string "<code title="">&amp;nbsp;</code>",
-  and, if the algorithm was invoked in the <i>attribute mode</i>, any
-  occurrences of the "<code title="">&quot;</code>" character by the
-  string "<code title="">&amp;quot;</code>".</p>
+  title="">&amp;gt;</code>".</p>
 
   <p class="note">Entity reference nodes are <a
   href="#entity-references">assumed to be expanded</a> by the user

Comment 1 Henri Sivonen 2009-08-21 10:20:11 CEST

The original summary for this bug was longer than 255 characters, and so it was truncated when Bugzilla was upgraded. The original summary was:

Don't escape '<' and '>' in attribute values, to handle http://www.expedia.com/pub/agent.dll?qscr=cars&itid=&itdx=&itty=&&ploc=&plo2=&flag=&subm=1&tovr=-1294637292&styp=1&locn=Denver&loid=&astr=&acty=&astt=&azip=&date1=10%2F24%2F2008&time1=660&date2=10%2F25%2F2008&time2=660&loc2=&loi2=&rdus=10&cark=1&kind=1&optn=1&vend=&fspeceq=1&rdct=1 (credit: sp)