#288 html writer(s): embedded stylesheets that contain & or < are polyglotness
[Low priority: only affects users using XHTML mime type with certain custom stylesheets]
This is somewhat rare, but CSS stylesheets may contains < or & chars.
In that case, simply embedding them as-is in the body will cause parsing as HTML vs XHTML to differ.
http://www.w3.org/TR/html-polyglot/#fig-examples-of-content-that-is-not-safe-text-content
A simple (somewhat contrived) example:
$ cat x.css
/* Explicit sarcasm as sometimes used in email. */
[class="sarcasm"]::after { content: "</sarcasm>"; }
$ cat x.rst
— Hey, sudo make me a sandwitch!
.. class:: sarcasm
— `you` is not in the sudoers file. This incident will be reported.
$ rst2html.py --stylesheet=x.css --embed-stylesheet x.rst > x.html
$ rst2html.py --stylesheet=x.css --embed-stylesheet x.rst > x.xml
$ rst2html5.py --stylesheet=x.css --embed-stylesheet x.rst > x5.html
$ rst2html5.py --stylesheet=x.css --embed-stylesheet x.rst > x5.xml
Viewing the 2 .html files works fine but the .xml files show tag mismatch errors (Chrome, FireFox).
(With --link-stylesheet all 4 natually work)
=> The simplest fix is I believe to always add /*<![CDATA[*/ ... /*]]>*/ around the content (which parses to empty CSS comments either way).
I believe that's certainly safe for HTML5 writer, but I'm not sure about html4css1 (polyglot doc I've read is for xml/html5 coexistance).
-
Hmm, HTML4 transitional validator complained and sent me to http://www.htmlhelp.com/tools/validator/problems.html#script and http://www.w3.org/TR/html4/appendix/notes.html#h-B.3.2.1 which say I basically can't have unescaped
</at all within style/script. Commented CDATA probably won't hurt(?) but won't really help. It's not hard to escape but user would have to do it (or docutils would have to do some intrusive parsing). -
IE6 happily read .html with commented CDATA. It doesnt really support XHTML but it did complain on x.xml being malformed and did parses .xml with commented CDATA (shown as highlighted tree for lack of XSL).
-
https://mathiasbynens.be/notes/etago explains no browser ever implemented the strict
</closing spec; they closed on more complicated rules — roughly</style— which is what HTML5 codified.
=> It sounds like using commented CDATA in HTML4 doesn't in itself break validity, embedding styles with < and & (as long as it's not </style but common) will work in practice all old browsers, and the CDATA will help newer browsers if the doc is served with XHTML mime type to them. Sounds safe & beneficial?
P.S. Similar problem occurs with .. raw:: html containing an inline <script>a < b && c < d</script>, where unlike CSS hitting < and & is quite common. Or an inline <style> (invalid but mostly works, generally pointless). But I don't see any simple way for docutils to help with these, except mentioning the CDATA trick in to the FAQ.
I prefer the solution given in your link:
Both, CSS style sheets and raw HTML are not checked or sanitized by rST or Docutils. Users have all the freedom and all the responsibility.
They can also use the above-suggested wrapper but I don't want Docutils to hard-code this hack into its output.
This is in any case no bug but a feature-request.