Comment #5 on issue 2217 by [email protected]: HTML extensions to
String.prototype shouldn’t escape ', < and > in argument values; only "
http://code.google.com/p/v8/issues/detail?id=2217
A quick test on firefox 13 shows […]
There are more tests here: http://mathias.html5.org/tests/javascript/string/
Firefox is planning on escaping " only. See
https://bugzilla.mozilla.org/show_bug.cgi?id=352437 (Ms2ger is working on a
patch.) Opera will do the same once Firefox does (Opera bug DSK-369206),
and a bug has been filed for IE as well:
https://connect.microsoft.com/IE/feedback/details/752391 (IE has another
issue with these methods:
https://connect.microsoft.com/IE/feedback/details/752283)
Since String.prototype.link etc. are not part of ECMA-262 […]
They’re indeed not part of any standard, which is why the document on
http://mathias.html5.org/specs/javascript/ is being written in an attempt
to spec common behavior, and to get browsers to align their implementations
with security in mind.
See http://mathias.html5.org/specs/javascript/#string and
http://mathias.html5.org/specs/javascript/#escapeattributevalue.
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
