On 08.09.2010 12:14, Kornel Lesiński wrote:
... data: URI theoretically requires percent-escaping, but I don't see how failure to do so could cause security vulnerability in "data:text/html," content. ...
data *URI* requires percent escaping, but HTML5 uses IRIs (so you don't need to escape non-ASCII), and also has requirements to handle certain non-URI characters (so the attribute value would be invalid, but still work predictably).
Best regards, Julian
