| 00:05 | <annevk5> | I don't think anyone is sugesting that |
| 00:05 | <annevk5> | Just that anecdotically more people seem to be cool with it than not. See also e.g. twitter and blog posts around the Web |
| 00:08 | <karlcow> | http://www.google.com/search?q=%22html5+sucks%22 |
| 00:08 | <karlcow> | http://www.google.com/search?q=%22html5+rocks%22 |
| 00:08 | <karlcow> | but not sure it is very relevant ;) |
| 00:11 | svl | is a web developer, and is not only firmly on the "cool with it" side of things, but also believes the same goes for every single other web developer he knows (and given the various organizations I'm part of and the meetings I attend, that's a sizeable group). And beyond the people involved enough to be part of all that, I suspect most simply don't think about html5 at all yet. |
| 00:12 | <karlcow> | I agree with svl specifically for the last sentence. |
| 00:12 | karlcow | will ask monday in the office. |
| 00:12 | <Philip`> | Based on a large sampling of one person (outside the WHATWG community) who has expressed an opinion on HTML5, 100% of people like it |
| 00:12 | <Philip`> | mostly because the doctype is short |
| 00:12 | <karlcow> | that will be around 20 persons actually making Web sites in a commercial context |
| 00:13 | <Philip`> | but that's about the limit of my personal experience |
| 00:47 | <Hixie> | woah, my issues chart is saying i checked lots in in the past few weeks which is completely bogus |
| 00:48 | <Hixie> | wtf |
| 00:59 | <Hixie> | goddamnit |
| 00:59 | <Hixie> | i always get caught up on this "january is month zero" nonsense |
| 00:59 | <Hixie> | ok, chart fixed. |
| 03:02 | <rubys> | jgraham: what I wrote was "It is less obvious that we have adequate representation from content creators." |
| 03:02 | <rubys> | jgraham: what you read "strong perception that HTML 5 has disenfranchised authors somehow" |
| 03:02 | <rubys> | how the @#$#&^ did THAT happen? |
| 04:16 | <sayrer> | rubys, if you buy this: "Content creation should not be recondite. It should not be this bizarre arcana that only experts and gold-plated computer science gurus can do." |
| 04:17 | <sayrer> | how do you find people to participate in the working group? |
| 04:17 | <sayrer> | tough question, if you ask me |
| 08:38 | <jgraham> | rubys: Because I was not just basing what I said on what you wrote. As I said, that merely brought it to mind. |
| 10:53 | rubys | looks up "recondite" |
| 10:55 | <rubys> | rsayre: I understand the statement by Brendan, but don't see the association. |
| 10:55 | <rubys> | jgraham: thanks for clearing that up |
| 10:57 | <gsnedders> | http://pastebin.com/m41bc51f9 — why does __copy__ create copies of the key values and not references to them> |
| 11:21 | Philip` | notes that making a subclass of dict whose API is different in many ways is quite likely to be violating fundamental principles of OO design |
| 12:59 | <gsnedders> | True, but being better would mean doing odd things in places. |
| 13:19 | <Philip`> | gsnedders: But being better would, by definition, be better |
| 13:57 | <bell007> | hi |
| 13:57 | <bell007> | hi all |
| 13:58 | <bell007> | When I sanitize "<IMG SRC="HTTP://WWW.G.COM/png.png"; ALT="g">", there |
| 13:58 | <bell007> | is only receive "<IMG ALT="g">", the string SRC="HTTP://WWW.G.COM/ |
| 13:58 | <bell007> | png.png" lost! |
| 14:15 | <jgraham> | gsnedders: What are the keys? |
| 14:16 | <gsnedders> | Oh, I found why it wasn't working, it doesn't matter. |
| 14:16 | <gsnedders> | (__setitem__ caused a copy to be created) |
| 14:16 | <jgraham> | gsnedders: Oh and what Philip` said :) |
| 14:19 | Philip` | blames jgraham for doing s/and/or/ when attempting to change line wrapping in html5lib |
| 14:20 | jgraham | tries to look innocent |
| 14:20 | <jgraham> | DId we not have a unit test that covered it? |
| 14:20 | <Philip`> | jgraham: We had dozens |
| 14:21 | <jgraham> | And they failed? Wow I suck |
| 14:21 | <Philip`> | They did |
| 14:21 | <Philip`> | You said "there are some regressions in the liberal xml parser and the sanitizer that need to be fixed" |
| 14:21 | <Philip`> | so presumably you did check them :-) |
| 14:21 | <jgraham> | Oh, well I feel better about that then :) |
| 14:22 | <jgraham> | I have to learn that people are actually trying to use this stuff |
| 14:22 | <Philip`> | Breaking the sanitiser tests is probably not an excellent idea, even temporarily, when people seem to rely on trunk versions for security :-) |
| 14:22 | <Philip`> | One test still fails, but I don't quite know why |
| 14:23 | <Philip`> | (I think it passes in the Ruby version, though it's hard to tell because there's a load of bogus test failures from <a/> vs <a></a> serialisation) |
| 14:23 | jgraham | winders if people are relying on the ruby version |
| 14:24 | <jgraham> | *wonders |
| 14:24 | <Philip`> | val_unescaped = CGI.unescapeHTML(attrs[attr].to_s).gsub(/`|[\000-\040\177\s]+|\302[\200-\240]/,'').downcase |
| 14:24 | <Philip`> | Is that doing a gsub on UTF-8 byte values? |
| 14:25 | <Philip`> | If so, what's the equivalent in a non-insane language like Python that understands Unicode? |
| 14:25 | <jgraham> | Thst doesn't look entirely implausible |
| 14:27 | <Philip`> | Hmm, look like the last bit is U+0080 to U+00A0 |
| 14:31 | <Philip`> | Oh, the Python one's already equivalent |
| 14:33 | <Philip`> | Oh, right, the difference is probably that the Python version correctly translates  into U+FFFD, and the Ruby one doesn't |
| 14:33 | <Philip`> | so it's just a parser issue |
| 14:34 | <Philip`> | and the Ruby parser is already broken lots, so I don't care about it |
| 14:34 | <jgraham> | So the test is wrong? |
| 14:36 | <Philip`> | jgraham: No |
| 14:37 | <jgraham> | Oh. So we still fail a test but we just don't know why? |
| 14:37 | <Philip`> | Oh, wait |
| 14:37 | <Philip`> | Yes it is wrong |
| 14:37 | <Philip`> | The test is for <img src="  javascript:alert('XSS');" /> |
| 14:38 | <Philip`> | which runs the script in IE |
| 14:38 | <Philip`> | and the test case says it should become <img/>, but Python html5lib says u'<img src=" \ufffd javascript:alert(\'XSS\');"/>' |
| 14:39 | <Philip`> | which is okay because the U+FFFD results in the script not running |
| 14:40 | <Philip`> | but I don't know if it's dodgy to rely on that output being safe |
| 14:41 | <jgraham> | It seems like it would be nicer to pass the test |
| 14:41 | jgraham | doesn't really like the sanitizer code because it relies so heavilly on regexps for attribute sanitisation |
| 14:42 | <Philip`> | It relies on regexp blacklisting of attribute values, in particular |
| 14:42 | <jgraham> | Can we do it better? |
| 14:43 | <Philip`> | Use whitelisting :-) |
| 14:43 | <jgraham> | Well it doesn't seem reasonable to whitelist all possible attribute values |
| 14:43 | <Philip`> | It's reasonable to whitelist values that are valid URIs |
| 14:44 | <jgraham> | Yes, that would be better |
| 14:44 | <Philip`> | (and invalid URIs can be escape into valid URIs first) |
| 14:45 | <Philip`> | Someone should write an HTML insanitiser that makes your markup crazier |
| 14:46 | Philip` | doesn't care enough about this to work out what to do, so he'll leave it with the failing test |
| 14:50 | <Philip`> | (...since it seems to be a 'safe' failure, in terms of not introducing XSS vulnerabilities) |
| 15:19 | <jgraham> | http://www.iamcal.com/understanding-bidirectional-text/ is interesting. I guess the HTML sanitizer should do something about mismatched explicit override markers |
| 15:22 | <Philip`> | jgraham: Their effects seem to be scoped by elements like <div>, so as long as you've got some block markup around any user-supplied content then it shouldn't be a problem |
| 15:24 | <Philip`> | where "problem" means "denial of service attack, via user-generated content making significant parts of your page unreadable" |
| 15:24 | <Philip`> | (Localised nonsense isn't a problem that the sanitiser should be dealing with, because people can (and do) write nonsense just with plain ASCII anyway) |
| 15:26 | <jgraham> | Philip`: Ah, did the article say about the <div> thing or did you just test that? |
| 15:27 | <Philip`> | (By "block markup", I mean "markup which gets rendered with display:block") |
| 15:27 | <Philip`> | jgraham: I just tested it |
| 15:27 | <Philip`> | very briefly and incomprehensively |
| 15:28 | <Philip`> | http://www.google.com/search?q=%E2%80%AE |
| 15:28 | <jgraham> | The example in the article still makes some sense; you might not have user entered content in a <div> |
| 15:28 | <Philip`> | "Your search - .stnemucod yna hctam ton did -" |
| 15:28 | <jgraham> | Yeah so I see :) |
| 15:28 | <Philip`> | but then the rest of the page is fine |
| 15:29 | <Philip`> | (in the browsers I've tried) |
| 15:29 | <jgraham> | So it would still make sense to try and balance that out |
| 15:31 | <Philip`> | Of course I could still write http://www.google.com/search?q=.stnemucod+yna+htcam+ton+did to get very similar output |
| 15:33 | <jgraham> | You can imagine situations where content from several users is put together in a single block-level element so one user can confuse everyone else |
| 15:34 | <jgraham> | I agree that it doesn't seem like a very serious issue |
| 17:32 | <gsnedders> | http://gsnedders.html5.org/cite/ |
| 17:43 | <Lachy> | gsnedders, when I submit a file to that, I get an internal server error |
| 17:43 | <Lachy> | I tried submitting the html5 reference source |
| 17:43 | <gsnedders> | Awesome. |
| 17:43 | <gsnedders> | suexec policy violation: see suexec log for more details |
| 17:44 | <Lachy> | gsnedders, is that supposed to be running anolis with support for biblio, and with support for submitting an auxilliary biblio file? |
| 17:44 | <gsnedders> | No, it just does biblio |
| 17:44 | <Philip`> | gsnedders: "bilbiography"? |
| 17:45 | <gsnedders> | Yes, I can't spell. |
| 17:45 | Philip` | suggests a spell chequer |
| 17:45 | <Lachy> | gsnedders, so when I submit one of my specs, does it just append the reference section to the end, without doing any other processing like anolis does? |
| 17:45 | <gsnedders> | Yeah |
| 17:46 | <Lachy> | so should I go Overview.src.html -> anolis -> Overview.html -> then biblio, to get the final copy of my spec? |
| 17:46 | <gsnedders> | Yeah |
| 17:46 | <Lachy> | ok |
| 17:46 | <gsnedders> | biblio will be merged into Anolis |
| 17:47 | <Lachy> | good |
| 17:47 | <gsnedders> | It's just I really did it for my computing project for school disguised as a separate project |
| 17:47 | <Lachy> | what file format does the extra biblio database field support? |
| 17:47 | <gsnedders> | refer |
| 17:47 | <Lachy> | ok |
| 17:49 | <Lachy> | gsnedders, ping me when you get the internal server error resolved |
| 17:51 | gsnedders | gets a different error |
| 17:56 | <Lachy> | i now get an ImportError |
| 18:08 | gsnedders | sighs, having compiled libxml2 and libxslt |
| 18:10 | <gsnedders> | hmm, so having managed to build lxml, from lxml import html still fails |
| 18:33 | <gsnedders> | Lachy: ping |
| 19:00 | gsnedders | posts <http://gsnedders.com/installing-lxml-on-dreamhost>; |
| 19:05 | <Lachy> | gsnedders, I just tried it with Selectors API. Your bibliographic database seems to be using different identefiers for the references from what Bert's does |
| 19:06 | <Lachy> | e.g. [{!SELECT] is CSS3 selectors in Bert's, but not in yours |
| 19:07 | <Lachy> | and [[!WEBIDL]] doesn't seem to work. I'm guessing that means yours in case sensitive, since "WebIDL" is listed in yours |
| 19:07 | <Lachy> | same issue with Dom-Level-3-Core |
| 19:10 | <Lachy> | gsnedders, other than those relatively minor issues, since I can easily update the references in my spec, the system seems to work fairly well |
| 20:14 | <Hixie> | re the sanitiser, you should always use only whitelisting |
| 20:15 | <Hixie> | and for every attribute value |
| 20:15 | <Hixie> | including e.g. src="", style="", etc |
| 21:09 | <gsnedders> | Lachy: Indeed, I know that. |
| 21:09 | <gsnedders> | Lachy: I can't legitimately copy Bert's database, because I have no access to it, and myself, annevk5, and marcos all disagree with how it does stuff |
| 21:10 | <gsnedders> | Lachy: But you can download Bert's database and use it yourself |
| 21:10 | <gsnedders> | It's linked to from the docs |
| 21:26 | <Hixie> | 56%... |
| 21:28 | gsnedders | wonders when Hixie will finish this |
| 21:29 | <gsnedders> | In time for his birthday? |
| 21:31 | <Philip`> | Which of his birthdays? |
| 21:32 | <gsnedders> | Philip`: 27th December |
| 21:32 | <Philip`> | gsnedders: There's an infinite number of 27ths of December, so that doesn't narrow it down much |
| 21:33 | <gsnedders> | 27th December 2009 AD |
| 21:35 | <Hixie> | 60% |
| 21:35 | <jgraham> | gsnedders: Which calendar system? |
| 21:35 | gsnedders | was waiting for that question |
| 21:35 | <gsnedders> | jgraham: the 29th December 2009 AD is only his birthday in one calendar system |
| 21:36 | <gsnedders> | (Thus that one) |
| 21:36 | <jgraham> | gsnedders: Not given a sufficiently large universe |
| 21:36 | <gsnedders> | Oh shut up. |
| 21:49 | <jgraham> | RFC 3986 tlks about certian URI forms being "less likely" which seems like a fairly pointless distincion to make since it is essential to treat them uniformly anyway |
| 21:49 | <jgraham> | I guess it should say "be sure to test wih the following special cases" or something |
| 22:31 | <Hixie> | 62% |
| 22:34 | <annevk5> | why is the datagrid section greyed out? |
| 22:35 | <annevk5> | I see, <div class=bad> :) |
![HTTP://WWW.G.COM/png.png"](HTTP://WWW.G.COM/png.png"){kind=link}