HTML Standard Tracker


File a bug

SVNBugCommentTime (UTC)
4623Add an example of srcdoc='' and some usage notes.2010-01-24 06:45
@@ -20942,24 +20942,65 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
   initial <code>about:blank</code> page.</p>
   <p class="note">If the user <span title="navigate">navigates</span>
   away from this page, the <code>iframe</code>'s corresponding
   <code>WindowProxy</code> object will proxy new <code>Window</code>
   objects for new <code>Document</code> objects, but the <code
   title="attr-iframe-src">src</code> attribute will not change.</p>
   <div class="example">
-   <p class="XXX">example for srcdoc here</p>
+   <p>Here a blog uses the <code
+   title="attr-iframe-srcdoc">srcdoc</code> attribute in conjunction
+   with the <code title="attr-iframe-sandbox">sandbox</code> and <code
+   title="attr-iframe-seamless">seamless</code> attributes described
+   below to provide users of user agents that support this feature
+   with an extra layer of protection from script injection in the blog
+   post comments:</p>
+   <pre>&lt;article>
+ &lt;h1>I got my own magazine!&lt;/h1>
+ &lt;p>After much effort, I've finally found a publisher, and so now I
+ have my own magazine! Isn't that awesome?! The first issue will come
+ out in September, and we have articles about getting food, and about
+ getting in boxes, it's going to be great!&lt;/p>
+ &lt;footer>
+  &lt;p>Written by &lt;a href="/users/cap">cap&lt;/a>.
+  &lt;time pubdate>2009-08-21T23:32Z&lt;/time>&lt;/p>
+ &lt;/footer>
+ &lt;article>
+  &lt;footer> At &lt;time pubdate>2009-08-21T23:35Z&lt;/time>, &lt;a href="/users/ch">ch&lt;/a> writes: &lt;/footer>
+  &lt;iframe seamless sandbox="allow-same-origin" srcdoc="&lt;p>did you get a cover picture yet?">&lt;/iframe>
+ &lt;/article>
+ &lt;article>
+  &lt;footer> At &lt;time pubdate>2009-08-21T23:44Z&lt;/time>, &lt;a href="/users/cap">cap&lt;/a> writes: &lt;/footer>
+  &lt;iframe seamless sandbox="allow-same-origin" srcdoc="&lt;p>Yeah, you can see it &lt;a href=&amp;quot;/gallery/cover/1&amp;quot;>in my gallery&lt;/a>.">&lt;/iframe>
+ &lt;/article>
+ &lt;article>
+  &lt;footer> At &lt;time pubdate>2009-08-21T23:58Z&lt;/time>, &lt;a href="/users/ch">ch&lt;/a> writes: &lt;/footer>
+  &lt;iframe seamless sandbox="allow-same-origin" srcdoc="&lt;p>hey that's earl's table.
+&lt;p>you should get earl&amp;amp;me on the next cover.">&lt;/iframe>
+ &lt;/article></pre>
+  <p class="note">In <span>the HTML syntax</span>, authors need only
+  remember to use U+0022 QUOTATION MARK characters (") to wrap the
+  attribute contents and then to quote all U+0022 QUOTATION MARK (")
+  and U+0026 AMPERSAND (&amp;) characters, and to specify the <code
+  title="attr-iframe-sandbox">sandbox</code> attribute, to ensure safe
+  embedding of content.</p>
+  <p class="note">Due to restrictions of <span>the XML syntax</span>,
+  in XML a number of other characters need to be escaped also to
+  ensure correctness.</p>
   <p>The <dfn title="attr-iframe-name"><code>name</code></dfn>
   attribute, if present, must be a <span>valid browsing context
   name</span>. The given value is used to name the <span>nested
   browsing context</span>. <span class="impl">When the browsing
   context is created, if the attribute is present, the <span>browsing
   context name</span> must be set to the value of this attribute;
   otherwise, the <span>browsing context name</span> must be set to the
   empty string.</span></p>