#whatwg
2015-01-26
plaintext logs
prev next
source on github
07:49
<ondras>
morning
07:49
<ondras>
inside an attribute event handler, the element is added to the scope?
08:10
<zcorpan>
ondras: you mean <p onclick="">? (not .onclick = function(){})
08:13
<ondras>
zcorpan: yeah, already found out: https://html.spec.whatwg.org/multipage/webappapis.html#internal-raw-uncompiled-handler
08:13
<ondras>
zcorpan: I was puzzled by body onclick having "body" in scope, while body onload NOT having body in scope
08:14
<ondras>
apparently onload does not belong to body :)
08:14
<zcorpan>
ah, yeah
08:31
<zcorpan>
hsivonen: MikeSmith: ping https://github.com/validator/validator/pull/25
09:01
<benjamingr>
Is the execution order of messages posted with `postMessage` guaranteed with regards to other scheduled tasks?
09:01
<benjamingr>
for example - is the result of the following guaranteed to always be one thing? http://jsfiddle.net/f45a5pdx/
09:01
<benjamingr>
Domenic: you'd probably know ^
11:24
<zcorpan>
hsivonen: it seems MS have now done what you suggested they do back in the days. http://www.smashingmagazine.com/2015/01/26/inside-microsofts-new-rendering-engine-project-spartan/ https://hsivonen.fi/ie6/ (except not for ie6, just ie5.5, 7, 8, 9, 10, 11)
11:30
<zcorpan>
(maybe "enterprise mode" was already a thing in ie11)
12:34
<MikeSmith>
zcorpan: merged the validator change
12:34
<MikeSmith>
thanks
12:34
<zcorpan>
cheers
12:35
<MikeSmith>
sorry for not getting to it sooner
12:35
<zcorpan>
no worries
12:53
<Ms2ger>
Hm, Presto had navigator.appMinorVersion?
13:15
<zcorpan_>
seems so
13:19
<zcorpan_>
also browserLanguage, userLanguage
13:20
<Ms2ger>
browserLanguage only if navigator.appName == "Microsoft Internet Explorer"
13:22
<zcorpan_>
looks like both of those have some usage on github
13:24
<Ms2ger>
return (navigator.browserLanguage || navigator.language || navigator.userLanguage).substr(0,2)
13:24
<zcorpan_>
"navigator.language" 138,088 "navigator.userLanguage" 51,830 "navigator.browserLanguage" 14,089
13:24
<zcorpan_>
"navigator.languages" 991
15:00
<JonathanNeal>
Are any specs in the works that improve upon addEventListener?
15:06
<Ms2ger>
How so?
15:32
<JonathanNeal>
@Ms2ger, how so to improve upon addEventListener? Returning an event object that could disable itself. Promisified like fetch or streamed or whatever the word is. Integrated delegation (without mimicing via .closest).
17:35
<Domenic>
benjamingr: I don't believe so. UAs can pick from any of multiple queues when it's time to execute a task, at their discretion. That is how e.g. painting gets priority over setTimeout IIRC.
17:36
<Domenic>
more confusion between promises and event listeners, sigh, when will it ever end.
17:37
<Ms2ger>
What goes into which queue should be defined, though
17:37
<Ms2ger>
Not sure if Promises do
17:42
<jgraham_>
Hmm?
18:30
<benjamingr>
Domenic: that's what I thought - thanks!
21:27
<nicholasserra>
Anyone have any experience with python html5lib?
21:28
<boogyman>
nicholasserra: dont ask to ask, just as your actual question
21:28
<nicholasserra>
boogyman: Wasn't sure, as this channel seems to have a pretty broad purpose. Thanks
21:29
<boogyman>
If it's a question about #python or ##python that would probably be a better place to ask, but if its a question about the HTML specs, here is appropriate.
21:30
<nicholasserra>
Well, i'm using the python html5lib package to sanitize some html, but it seems to be escaping ampersands inside of an href attribute, which seems like a bug to me. Not sure if i'm not passing a correct flag. The source is pretty hard to dig into. https://gist.github.com/nicholasserra/6bd1ff7650e398127f19
21:31
<boogyman>
that's a #python or ##python question
21:31
<nicholasserra>
Gotcha thanks
21:31
<boogyman>
cheers
21:49
<SimonSapin>
to be fair the html5lib authors hang out here
22:26
<TabAtkins>
You're supposed to escape ampersands inside of attribute values, tho.
22:34
<jgraham>
nicholasserra: That is a #whatwg question, not a #python question
22:34
<jgraham>
:)
22:36
<jgraham>
nicholasserra: The rules around escaping ampersands in attributes are somewhat complicated, but in general it should always be OK to escape them
22:36
<jgraham>
Is it causing you an actual problem?
22:51
<nicholasserra>
jgraham: Yes, as it is in an href, and the link is no longer valid
22:52
<nicholasserra>
I opened up an issue with all the details too: https://github.com/html5lib/html5lib-python/issues/180
23:11
<jgraham>
nicholasserra: So afaict when you parse the output of that you get the same as when you parse the input i.e. everything is working as expected
23:13
<nicholasserra>
jgraham: What do you mean? To clarify my issue, if I try to sanitize an anchor tag with href like google.com/?key=1&key=2, the href will be changed to ?key=1&amp;key=2
23:19
<zewt_>
dpm
23:19
<zewt_>
typing hard
23:19
<zewt_>
don't suppose there's a magic setting to un-break chrome user scripts
23:20
<zewt_>
one day google decided to just kill off user scripts saying "not from chrome web store"
23:20
<jgraham>
nicholasserra: The output will yes. But reparsing that output will give you the same DOM as your original input
23:20
<jgraham>
So I don't see why it's a problem
23:22
<nicholasserra>
The DOM is fine, but now I have an href with an invalid link
23:22
<nicholasserra>
jgraham: ^
23:23
<nicholasserra>
Unless html entities are parsed by the browser. I don't think that's the case though.
23:24
<nicholasserra>
tldr <a href="test.com/&">; goes in, <a href="test.com/&amp;">; comes out. Different href attrs
23:25
<zewt_>
that looks right to me
23:25
<jgraham>
nicholasserra: It is the case. See e.g. http://software.hixie.ch/utilities/js/live-dom-viewer/saved/3384
23:26
<zewt>
it's not going to remember which characters were escaped in the input, you just always escape going out
23:27
<zewt>
it could probably figure out when escaping isn't needed, but nobody would risk escaping-related security bugs just to prettify html a little
23:27
<zewt>
(for some value of nobody)
23:27
<nicholasserra>
Nice. I guess I never knew that the browser would treat html special chars as their regular character counterparts when parsing the attribute. Still seems generally wrong to me though.
23:28
<nicholasserra>
I would expect those URI attrs to be excluded from any parsing or treatment in general.
23:28
<zewt>
(you mean URL)
23:28
<zewt>
how would you put a quote in the string?
23:28
<jgraham>
nicholasserra: The spec and all browsers disagree with your expectations, though :)
23:29
<zewt>
i guess you're thinking that you could URL-escape but not HTML-escape, which I guess is fair, but incorrect
23:29
<jgraham>
Not all attributes are URLs
23:29
<nicholasserra>
The code from html5lib refers to them as URI. But yeah.
23:29
<zewt>
since the ... yeah that's a shorter way of typing what i was about to type
23:30
<nicholasserra>
Yeah, I guess I would imagine that urlencoding it would make more sense
23:30
<jgraham>
It probably shouldn't say URI but it's hard to change the API now
23:30
<nicholasserra>
Weird stuff
23:31
<nicholasserra>
thanks for sorting it out with me zewt and jgraham
23:31
<jgraham>
nicholasserra: np
23:31
<nicholasserra>
Im going to leave my issue open to see if anyone else has an opinion on it
23:31
<zewt>
not really good practice
23:32
<zewt>
since it's forcing somebody somewhere to spend time on it (and just repeating what we just said)
23:34
<nicholasserra>
While you're both right that it will work, I still don't think URL attributes should even be parsed. It's probably a wontfix issue, but i'm curious if the authors have any more input.
23:35
<zewt>
given that that's not what browsers actually do, that's frankly just not a valid thing to think :)
23:36
<zewt>
better off posting to a mailing list if you want to ask for opinions--filing a bug is sort of like demanding them
23:36
<zewt>
(anyway, i'm not the one who has to respond to the bug report)
23:38
<nicholasserra>
That's fair. The google group for html5lib is pretty dead. Any suggestions on where to ask that question?
23:39
<jgraham>
nicholasserra: FWIW I am one of the principal authors of html5lib
23:39
<zewt>
it's not really html5lib-specific, you could ask anywhere html-related, eg. stackoverflow
23:39
<zewt>
since you're asking about html parsing, html5lib is just one implementation of that
23:40
<nicholasserra>
Gotcha. Thanks. I closed my issue. Maybe i'll bring it up elsewhere. jgraham zewt
23:40
<zewt>
(another reason what you're suggesting is incorrect: browsers don't know whether an attribute contains a url in advance; it might be a polyfilled attribute that it doesn't know about yet)
23:42
<nicholasserra>
I guess my gripe is more with the parser than the browser. Mainly: If the browser will just read the html special character as its regular character counterpart, and the parser knows that it's in a URL attribute, when why bother escaping it?
23:42
<zewt>
the parser doesn't necessarily know anything about the contents of an attribute
23:43
<nicholasserra>
In html5lib, it has a list of attrs that are marked as URL attributes
23:43
<zewt>
(and it shouldn't have to--that's bad layering)
23:43
<zewt>
and that's not exhaustive: when a new attribute is added to HTML that contains a URL, it won't know about it
23:43
<zewt>
which means HTML would parse differently as attributes are added
23:44
<nicholasserra>
So basically you're saying it should sanitize everything just in case?
23:45
<zewt>
nothing to do with sanitizing, if you say <foo srcurl="http://google.com/&amp;">;, and you look at srcurl in javascript on the page, some browsers would say "http://google.com&amp;"; and others would say "http://google.com&";