On 7/27/09 17:15, Mike Samuel wrote:
2009/7/27 felix <[email protected] <mailto:[email protected]>> what's the argument against allowing <div id="!...@#$=()[]{}"> or other weird chars. it doesn't conform to xml or html specs, but it's not rejected by any browser I tried, and I can't think of any particular security implication of weird chars. I definitely want to avoid things like <div id="htmlEmitter___�"> where a browser might throw out certain characters leaving an identifier in the restricted namespace, or without the dom suffix. There are quite a few characters that can't appear in an ID because some attributes like (ID, FOR) can appear individually, or can be grouped together (CLASS, HEADERS). See http://www.w3.org/TR/WCAG20-GENERAL/H43.html for the latter which groups IDs together. So I don't object to widening the definition of ID to include non-alphabetic characters, but I would want to be sure that we don't widen it to include characters that would be considering breaking in an attribute that contains a whitespace separated run of multiple other characters. browser-expectations.html would be the right place to test any assertions about which characters can appear in an ID or CLASS.
ok, I'll code up a test to verify that browsers don't mangle weird ids, either when emitted in canonical html form, or when set from js.
