Last modified: 2013-06-08 14:21:35 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T26919, the corresponding Phabricator task for complete and up-to-date bug report information.

Bug 24919 - Try to allow ', ", & in HTML5 IDs


Summary:	Try to allow ', ", & in HTML5 IDs

Status:	REOPENED

Product:	MediaWiki
Classification:	Unclassified
Component:	General/Unknown (Other open bugs)
Version:	unspecified
Hardware:	All All

Importance:	Low enhancement (vote)
Target Milestone:	---
Assigned To:	Nobody - You can work on this!

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	html5
	Show dependency tree / graph

Reported:	2010-08-24 06:56 UTC by entlinkt
Modified:	2013-06-08 14:21 UTC (History)
CC List:	3 users (show)

See Also:
Web browser:	---
Mobile Platform:	---
Assignee Huggle Beta Tester:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description entlinkt 2010-08-24 06:56:57 UTC

escapeId() is currently stripping the ', " and & characters. Is that really necessary? They are apparently allowed in HTML5 as well as in fragments (RFC 3987) and don't cause any known problems other than that they must be escaped in the HTML source. But that applies to all attributes, not just IDs.

Comment 1 DieBuche 2010-12-04 23:25:12 UTC

http://www.mediawiki.org/wiki/Manual:$wgExperimentalHtmlIds

Comment 2 Aryeh Gregor (not reading bugmail, please e-mail directly) 2010-12-04 23:28:45 UTC

Sanitizer.php comment:

     * To ensure we don't have to bother escaping anything, we also strip ', ",
     * & even if $wgExperimentalIds is true.  TODO: Is this the best tactic?
     * We also strip # because it upsets IE, and % because it could be
     * ambiguous if it's part of something that looks like a percent escape
     * (which don't work reliably in fragments cross-browser).

I did this to keep things simple.  There are probably places in the code where someone outputs IDs without escaping on the theory that they can't contain special characters, and people will probably continue to assume that in the future even if we audit all existing uses.  Developers are not going to expect id's to contain special characters.  So I think this should be WONTFIX.

Note You need to log in before you can comment on or make changes to this bug.

Wikimedia Bugzilla is closed!

Search

Personal tools

Navigation

Links