Skip to content

Fix #11 by escaping enough to be safe in legacy browsers #95

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
May 17, 2016
Merged

Fix #11 by escaping enough to be safe in legacy browsers #95

merged 7 commits into from
May 17, 2016

Conversation

gsnedders
Copy link
Member

#11 given this isn't picked up from the title

@hoppipolla-critic-bot
Copy link

Critic review: https://critic.hoppipolla.co.uk/r/227

This is an external review system which you may optionally use for the code review of your pull request.

@gsnedders
Copy link
Member Author

The remaining failures are now-bogus tests in html5lib-tests (which expect spec behaviour by default, and not legacy-safe behaviour by default (which we want because of #12 — to be secure by default)).

@gsnedders gsnedders mentioned this pull request Dec 23, 2013
Closed
@gsnedders gsnedders modified the milestones: 0.9999, 0.99999 Apr 29, 2015
@gsnedders gsnedders force-pushed the escape-characters-serializer branch from b0eddff to 791533e Compare May 7, 2016 23:48
@gsnedders gsnedders modified the milestone: 0.99999999 May 8, 2016
@gsnedders gsnedders force-pushed the escape-characters-serializer branch from 791533e to d87ca9b Compare May 9, 2016 15:20
@gsnedders gsnedders force-pushed the escape-characters-serializer branch from d87ca9b to 6ddce87 Compare May 11, 2016 20:03
@codecov-io
Copy link

codecov-io commented May 11, 2016
edited
Loading

Current coverage is 89.37%

Merging #95 into master will increase coverage by +<.01%

@@             master        #95   diff @@
==========================================
  Files            50         50          
  Lines          6796       6809    +13   
  Methods           0          0          
  Messages          0          0          
  Branches       1318       1321     +3   
==========================================
+ Hits           6071       6085    +14   
+ Misses          555        553     -2   
- Partials        170        171     +1
  1. File ...ject_meta_charset.py (not in diff) was modified. more
    • Misses +1
    • Partials 0
    • Hits -1

Powered by Codecov. Last updated by b48d0c1...8765511

@gsnedders gsnedders force-pushed the escape-characters-serializer branch from a30eb28 to 15ff801 Compare May 11, 2016 23:00
@gsnedders
Fix html5lib#11, html5lib#12: quote attributes that need escaping in …
9b8d8eb 
…legacy browsers

These are mostly out of the market now, so this isn't massively
needed any more; nevertheless, avoiding XSS as much as possible is
inevitably desirable.

This alters the API so that quote_attr_values is now a ternary
setting, choosing between legacy-safe behaviour, spec behaviour, and
always quoting.
@gsnedders gsnedders force-pushed the escape-characters-serializer branch from 8765511 to 9b8d8eb Compare May 11, 2016 23:55
@gsnedders gsnedders merged commit f6741ea into html5lib:master May 17, 2016
@gsnedders gsnedders deleted the escape-characters-serializer branch May 17, 2016 22:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.99999999
Development

Successfully merging this pull request may close these issues.
3 participants
@gsnedders @hoppipolla-critic-bot @codecov-io