2009/7/27 felix <[email protected]> > > what's the argument against allowing > <div id="!...@#$=()[]{}"> > or other weird chars. > it doesn't conform to xml or html specs, > but it's not rejected by any browser I tried, > and I can't think of any particular > security implication of weird chars. >
I definitely want to avoid things like <div id="htmlEmitter___�"> where a browser might throw out certain characters leaving an identifier in the restricted namespace, or without the dom suffix. There are quite a few characters that can't appear in an ID because some attributes like (ID, FOR) can appear individually, or can be grouped together (CLASS, HEADERS). See http://www.w3.org/TR/WCAG20-GENERAL/H43.htmlfor the latter which groups IDs together. So I don't object to widening the definition of ID to include non-alphabetic characters, but I would want to be sure that we don't widen it to include characters that would be considering breaking in an attribute that contains a whitespace separated run of multiple other characters. browser-expectations.html would be the right place to test any assertions about which characters can appear in an ID or CLASS.
