Comment #13 on issue 2217 by [email protected]: HTML extensions to String.prototype shouldn’t escape ', < and > in argument values; only "
http://code.google.com/p/v8/issues/detail?id=2217
My $0.02 is that it would be wise to escape all of these and update (your) spec to accept this behvaiour before it goes any further.
The case I worry about is when some idiot does a document.write() of '_'.link('<script>...').substring(1); V8 is safe. The others are not. In general, you will be safe only when the string is not combined in other ways so that you are sure to be entering the context of an HTML tag when the < is seen.
Why not make it idiot-proof by changing the others? -- v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev
