Anne van Kesteren wrote:
On Thu, 26 Apr 2007 02:17:12 +0200, Jonas Sicking <[EMAIL PROTECTED]> wrote:
We do no longer support this in mozilla (if we ever did). A reason we
now explicitly forbid this is we don't want it to ever be possible to
create elements with 'illegal' names. Same thing goes for attribute
names. This is partially for security reasons since some elements and
attributes carry very important security information.
Could you elaborate on the security issues? Could you also give a
definition of "illegal names" as it's not really clear to me what that
means for HTML.
Basically, for <input< type=file value="/etc/passwd">, if part of the
code thinks that that is an "input<" element, where as other parts
thinks that is and "input" element, you might end up in a situation
where the browser sends the /etc/passwd file to the server without user
interaction.
It also seems like a bad idea to allow a document to be parsed such as
there is no way to serialize it without creating an invalid html5
serialization.
As far as element names go, i don't really see a reason to allow more,
or less, characters than the XML spec lets you use.
/ Jonas
