On Mon, Sep 7, 2009 at 1:34 PM, Geoffrey Sneddon <foolist...@googlemail.com> wrote: > Apparently Hixie had previously said he didn't want to change this as it > will become a non-issue over time. I think it does matter due to the > security issues it presents in existing UAs. Conforming markup (using > elements/attributes allowed in HTML 4.01) should not cause JS to execute in > one browser but not in another.
I agree with you as an author. I wrote an HTML output function in MediaWiki assuming that what the standard says is known to be interoperable, which is apparently wrong. If I hadn't been keeping up with HTML 5, I would have introduced an XSS vulnerability because of some browsers' handling of `. If the problem will go away with time, then perhaps a later version of the standard could make such unquoted attributes conforming, once there's no more problem with them.