[e] (0) Add an example of escaped ampersands in URLs in sandbox=''.

Fixing http://www.w3.org/Bugs/Public/show_bug.cgi?id=8806 git-svn-id: http://svn.whatwg.org/webapps@4704 340c8d12-0b0e-0410-8428-c7bf67bfef74
whatwg · Feb 13, 2010 · 62b4857 · 62b4857
1 parent 853ffe9
commit 62b4857
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 3 deletions.
diff --git a/complete.html b/complete.html
@@ -19839,14 +19839,23 @@ <h4 id=the-iframe-element><span class=secno>4.8.2 </span>The <dfn><code>iframe</
  &lt;/article&gt;
  &lt;article&gt;
   &lt;footer&gt; At &lt;time pubdate&gt;2009-08-21T23:44Z&lt;/time&gt;, &lt;a href="/users/cap"&gt;cap&lt;/a&gt; writes: &lt;/footer&gt;
-  &lt;iframe seamless sandbox="allow-same-origin" srcdoc="&lt;p&gt;Yeah, you can see it &lt;a href=&amp;quot;/gallery/cover/1&amp;quot;&gt;in my gallery&lt;/a&gt;."&gt;&lt;/iframe&gt;
+  &lt;iframe seamless sandbox="allow-same-origin" srcdoc="&lt;p&gt;Yeah, you can see it &lt;a href=&amp;quot;/gallery?mode=cover&amp;amp;amp;page=1&amp;quot;&gt;in my gallery&lt;/a&gt;."&gt;&lt;/iframe&gt;
  &lt;/article&gt;
  &lt;article&gt;
   &lt;footer&gt; At &lt;time pubdate&gt;2009-08-21T23:58Z&lt;/time&gt;, &lt;a href="/users/ch"&gt;ch&lt;/a&gt; writes: &lt;/footer&gt;
   &lt;iframe seamless sandbox="allow-same-origin" srcdoc="&lt;p&gt;hey that's earl's table.
 &lt;p&gt;you should get earl&amp;amp;amp;me on the next cover."&gt;&lt;/iframe&gt;
  &lt;/article&gt;</pre>
 
+   <p>Notice the way that quotes have to be escaped (otherwise the
+   <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute would
+   end prematurely), and the way raw ampersands (e.g. in URLs or in
+   prose) mentioned in the sandboxed content have to be
+   <em>doubly</em> escaped &mdash; once so that the ampersand is
+   preserved when originally parsing the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute, and once more
+   to prevent the ampersand from being misinterpreted when parsing the
+   sandboxed content.</p>
+
   </div>
 
   <p class=note>In <a href=#syntax>the HTML syntax</a>, authors need only

diff --git a/index b/index
@@ -19738,14 +19738,23 @@ href="?audio"&gt;audio&lt;/a&gt; test instead.)&lt;/p&gt;</pre>
  &lt;/article&gt;
  &lt;article&gt;
   &lt;footer&gt; At &lt;time pubdate&gt;2009-08-21T23:44Z&lt;/time&gt;, &lt;a href="/users/cap"&gt;cap&lt;/a&gt; writes: &lt;/footer&gt;
-  &lt;iframe seamless sandbox="allow-same-origin" srcdoc="&lt;p&gt;Yeah, you can see it &lt;a href=&amp;quot;/gallery/cover/1&amp;quot;&gt;in my gallery&lt;/a&gt;."&gt;&lt;/iframe&gt;
+  &lt;iframe seamless sandbox="allow-same-origin" srcdoc="&lt;p&gt;Yeah, you can see it &lt;a href=&amp;quot;/gallery?mode=cover&amp;amp;amp;page=1&amp;quot;&gt;in my gallery&lt;/a&gt;."&gt;&lt;/iframe&gt;
  &lt;/article&gt;
  &lt;article&gt;
   &lt;footer&gt; At &lt;time pubdate&gt;2009-08-21T23:58Z&lt;/time&gt;, &lt;a href="/users/ch"&gt;ch&lt;/a&gt; writes: &lt;/footer&gt;
   &lt;iframe seamless sandbox="allow-same-origin" srcdoc="&lt;p&gt;hey that's earl's table.
 &lt;p&gt;you should get earl&amp;amp;amp;me on the next cover."&gt;&lt;/iframe&gt;
  &lt;/article&gt;</pre>
 
+   <p>Notice the way that quotes have to be escaped (otherwise the
+   <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute would
+   end prematurely), and the way raw ampersands (e.g. in URLs or in
+   prose) mentioned in the sandboxed content have to be
+   <em>doubly</em> escaped &mdash; once so that the ampersand is
+   preserved when originally parsing the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute, and once more
+   to prevent the ampersand from being misinterpreted when parsing the
+   sandboxed content.</p>
+
   </div>
 
   <p class=note>In <a href=#syntax>the HTML syntax</a>, authors need only

diff --git a/source b/source
@@ -21070,14 +21070,24 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
  &lt;/article>
  &lt;article>
   &lt;footer> At &lt;time pubdate>2009-08-21T23:44Z&lt;/time>, &lt;a href="/users/cap">cap&lt;/a> writes: &lt;/footer>
-  &lt;iframe seamless sandbox="allow-same-origin" srcdoc="&lt;p>Yeah, you can see it &lt;a href=&amp;quot;/gallery/cover/1&amp;quot;>in my gallery&lt;/a>.">&lt;/iframe>
+  &lt;iframe seamless sandbox="allow-same-origin" srcdoc="&lt;p>Yeah, you can see it &lt;a href=&amp;quot;/gallery?mode=cover&amp;amp;amp;page=1&amp;quot;>in my gallery&lt;/a>.">&lt;/iframe>
  &lt;/article>
  &lt;article>
   &lt;footer> At &lt;time pubdate>2009-08-21T23:58Z&lt;/time>, &lt;a href="/users/ch">ch&lt;/a> writes: &lt;/footer>
   &lt;iframe seamless sandbox="allow-same-origin" srcdoc="&lt;p>hey that's earl's table.
 &lt;p>you should get earl&amp;amp;amp;me on the next cover.">&lt;/iframe>
  &lt;/article></pre>
 
+   <p>Notice the way that quotes have to be escaped (otherwise the
+   <code title="attr-iframe-sandbox">sandbox</code> attribute would
+   end prematurely), and the way raw ampersands (e.g. in URLs or in
+   prose) mentioned in the sandboxed content have to be
+   <em>doubly</em> escaped &mdash; once so that the ampersand is
+   preserved when originally parsing the <code
+   title="attr-iframe-sandbox">sandbox</code> attribute, and once more
+   to prevent the ampersand from being misinterpreted when parsing the
+   sandboxed content.</p>
+
   </div>
 
   <p class="note">In <span>the HTML syntax</span>, authors need only