Quote attributes containing weird whitespace or '<'

[gsnedders]

http://code.google.com/p/html5lib/issues/detail?id=93

Reported by zcorpan, Feb 27, 2009

This is similar to issue 92 except there's an old Opera bug where certain
characters are treated as whitespace.

http://www.opera.com/support/kb/view/900/

The characters are

U+0009, U+000A, U+000B, U+000C, U+000D, U+0020, U+002F, U+00A0, U+1680, U
+180E, U+180F, U+2000, U+2001, U+2002, U+2003, U+2004, U+2005, U+2006, U
+2007, U+2008, U+2009, U+200A, U+2028, U+2029, U+202F, U+205F and U+3000

html5lib should probably quote attribute values that contain any of these.

Also, given that Gecko and WebKit start a new tag for <foo bar=baz<quux>
you should probably also quote attribute values that contain "<".

Apr 27, 2009 excors

Also see http://software.hixie.ch/utilities/js/live-dom-viewer/saved/95

In addition to the values mentioned in the spec, the following seem to require
quoting:

Safari 3.0: U+0000 to U+0020 inclusive
Konqueror 4.1: U+0000 to U+0020 inclusive
Safari 3.1: U+000B
Opera 9.6: U+000B
IE6, IE8: U+000B, U+0060
Firefox 2/3: (Not U+0008 despite what that test script says; those characters just
get stripped, it seems)

Apr 27, 2009 zcorpan

(U+000B is not a valid character in HTML5, though I don't know if the serializer
tries to keep the character data valid.)

Sep 4, 2009 Simetrical

The spec should be updated to ban these too, then, right? They're not interoperably
supported. I doubt anyone will cry about not being able to use sub-0x20 characters in
unquoted attribute values, anyway. :) U+60 is `, doesn't seem like a big issue
either. Should this be brought up on the mailing list?

Sep 5, 2009 geoffers

IMO yes, just someone needs to get around to it. :)

Sep 6, 2009 zcorpan

I did, and Hixie rejected it saying that it's an issue that will go away over time.
Feel free to bring it up again (citing that sites who implement the spec using a
serializer will expose themselves to security problems with legacy browsers).

Sep 7, 2009 Simetrical

I posted this a couple of days ago:

http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2009-September/022711.html

Oct 28, 2009 geoffers

Accepted, though we still need to decide how much to quote.

Oct 30, 2009 geoffers

I don't think we need to try and get the spec to quote anything else.

This should presumably be a legacy_quote option or some such.

[gsnedders]

The full list:

\x00\x01\x02\x03\x04\x05\x06\x07\x08\t\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x2f\x60\xa0\u1680\u180e\u180f\u2000\u2001\u2002\u2003\u2004\u2005\u2006\u2007\u2008\u2009\u200a\u2028\u2029\u202f\u205f\u3000