This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
"Notice the way that quotes have to be escaped (otherwise the sandbox attribute would end prematurely), and the way raw ampersands (e.g. in URLs or in prose) mentioned in the sandboxed content have to be doubly escaped once so that the ampersand is preserved when originally parsing the sandbox attribute, and once more to prevent the ampersand from being misinterpreted when parsing the sandboxed content." It seems likely that injecting HTML as escaped (and DOUBLE escaped) strings within an attribute will be difficult to get right, and will result in many authoring errors. What is the use case for this?
mass-move component to LC1
*** This bug has been marked as a duplicate of bug 13599 ***