23593 – New restriction for safe CDATA content in script elements: the string <script> needs to be escaped.

This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 23593 - New restriction for safe CDATA content in script elements: the string <script> needs to be escaped.

Summary: New restriction for safe CDATA content in script elements: the string <script...

Status:	RESOLVED FIXED

Alias:	None

Product:	HTML WG
Classification:	Unclassified
Component:	HTML/XHTML Compatibility Authoring Guide (ed: Eliot Graff) (show other bugs)
Version:	unspecified
Hardware:	PC Windows NT

Importance:	P3 normal
Target Milestone:	---
Assignee:	Leif Halvard Silli
QA Contact:	HTML WG Bugzilla archive list

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	13604
	Show dependency tree / graph

Reported:	2013-10-22 12:05 UTC by Leif Halvard Silli
Modified:	2013-11-02 05:33 UTC (History)
CC List:	7 users (show)

See Also:

Attachments

Description Leif Halvard Silli 2013-10-22 12:05:47 UTC

See comment number 1 in Bug #23587.

Polyglot Markup describes ”safe CDATA content”, which is a description of the content that can be safely inserted into a script or style element provided that it is wrapped inside a CDATA declaration. Simply put, that content has to match what the parser rules for the text/html serialization.

However, Jakub Łopuszański’s bug, bug #23587, shows that we also need to say something about escaping the <script> start tag, if it occurs inside a comment inside the script element - see comment number 1 of Bug #23587.

Comment 1 Leif Halvard Silli 2013-10-22 12:07:47 UTC

Accepted, but we need to look at the outcome of bug #23587 (and bug #23590).

Comment 2 Leif Halvard Silli 2013-11-02 05:33:19 UTC

EDITOR'S RESPONSE: This is an Editor's Response to your comment. If you are
satisfied with this response, please change the state of this bug to CLOSED. If
you have additional information and would like the Editor to reconsider, please
reopen this bug. If you would like to escalate the issue to the full HTML
Working Group, please add the TrackerRequest keyword to this bug, and suggest
title and text for the Tracker Issue; or you may create a Tracker Issue
yourself, if you are able to do so. For more details, see this document:


   http://dev.w3.org/html5/decision-policy/decision-policy.html

Status: Accepted
Change Description: Added section on comment syntax inside the script element. 
Rationale: It is clearly necessary to describe how to avoid this pitfall.

See the new text here: http://dev.w3.org/html5/html-polyglot/html-polyglot#CDATA-comment-syntax-in-script

Check-in: http://dev.w3.org/cvsweb/html5/html-polyglot/html-polyglot.html?rev=1.6