-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Simetrical wrote:
About the CDATA section, it seems that the XHTML standard recommends using it.
It doesn't recommend it, it just suggests it as one possibility to ensure that markup is valid:
http://www.w3.org/TR/xhtml1/#h-4.8
This is in contrast to HTML, where (at least in practice) browsers would special-case the contents of script and style tags and might be kind if there were unescaped content there. Using htmlspecialchars is just as valid a way of escaping here.
HTML 4 defines the contents of those elements as CDATA in the DTD, just like <br> and <img> are defined as having no content so there's no ambiguity when they're being interpreted by an HTML parser.
XHTML doesn't provide for that sort of declaration, since XML requires you to be able to parse a document without having a DTD ahead of time.
For compatibility of documents between both HTML and XHTML parsers, XHTML 1.0 recommends using linked resources if possible -- so there's no worry about how to escape contents -- or else using explicit <![CDATA[...]]> sections in your <script> and <style> elements.
- -- brion vibber (brion @ wikimedia.org)