This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 6670 - Allow unescaped &s, at least in attributes that accept URLs
Summary: Allow unescaped &s, at least in attributes that accept URLs
Status: VERIFIED WONTFIX
Alias: None
Product: HTML WG
Classification: Unclassified
Component: pre-LC1 HTML5 spec (editor: Ian Hickson) (show other bugs)
Version: unspecified
Hardware: All All
: P2 normal
Target Milestone: ---
Assignee: Ian 'Hixie' Hickson
QA Contact: HTML WG Bugzilla archive list
URL:
Whiteboard:
Keywords: NoReply
Depends on:
Blocks:
 
Reported: 2009-03-09 18:49 UTC by Ian 'Hixie' Hickson
Modified: 2011-11-23 07:09 UTC (History)
6 users (show)

See Also:

Attachments

Description Ian 'Hixie' Hickson 2009-03-09 18:49:15 UTC 
Based on data from Google, requiring &s to be escaped in URL-heavy pages (like most major sites) causes something like a 6% increase in file size. This error seems more common than the error it is trying to catch (accidentally forgetting the semicolon in an entity), but it would leave sites exposed to accidental entities, e.g. in the case of:

   http://example.com?cut©paste;color&style&bold
Comment 1 Ian 'Hixie' Hickson 2009-03-10 00:55:24 UTC 
maybe only if followed by alphanumeric ASCII and an equals sign?
Comment 2 Lachlan Hunt 2009-03-11 08:52:44 UTC 
It is useful to know if a semi-colon has accidentally been omitted from an entity reference, or if you've unintentionally used a sequence that looks like an entity reference.  This could be defined so that it is valid when:

1. The value is alphanumeric ASCII followed an equals sign
2. The value does not match one of the defined entity references.

So the most common cases of "?x&foo=1" would be valid.
But "?x&copy=1" would be invalid because © is an entity and, in this case, would be resolved to "?x©=1", which is not likely what the author wants.
Comment 3 Ian 'Hixie' Hickson 2009-04-01 01:50:10 UTC 
"?x&copy=1" in an attribute would not be treated as an entity, though, so the author still wouldn't be affected... Are you sure we need to check for matches even though they won't be handled as such? Maybe I don't really understand what you are proposing.
Comment 4 Ian 'Hixie' Hickson 2009-05-29 00:15:51 UTC 
I've tried to do this. The spec text for this is highly unintuitive, but I hope it matches practical intuition more than the previous text. I'm not compeltely convinced that this is a good idea, so let me know if you think this should be changed back.
Comment 5 Lachlan Hunt 2009-06-02 13:16:17 UTC 
(In reply to comment #3)
> "?x&copy=1" in an attribute would not be treated as an entity

Yes it would because "&copy" is one of the entity references that needs to be supported without the use of the semi-colon on the end.  Try it.

http://software.hixie.ch/utilities/js/live-dom-viewer/?%3C!DOCTYPE%20html%3E%0A%3Ca%20href%3D%22%3Fx%26copy%3D1%22%3Etest%3C%2Fa%3E
Comment 6 Ian 'Hixie' Hickson 2009-06-12 22:24:40 UTC 
Reverted.
Comment 7 Maciej Stachowiak 2010-03-14 13:17:02 UTC 
This bug predates the HTML Working Group Decision Policy.

If you are satisfied with the resolution of this bug, please change the state of this bug to CLOSED. If
you have additional information and would like the editor to reconsider, please reopen this bug. If you would like to escalate the issue to the full HTML Working Group, please add the TrackerRequest keyword to this bug, and suggest title and text for the tracker issue; or you may create a tracker issue yourself, if you are able to do so. For more details, see this document:
   http://dev.w3.org/html5/decision-policy/decision-policy.html

This bug is now being moved to VERIFIED. Please respond within two weeks. If this bug is not closed, reopened or escalated within two weeks, it may be marked as NoReply and will no longer be considered a pending comment.
Comment 8 Julian Reschke 2011-06-15 10:07:49 UTC 
Apparently, this change *was* applied later on. Is there another bug related to this?