what's BytesStart::unescaped for?

[scottlamb]

I'm trying to switch to quick-xml and am struggling to understand the API for just getting strings (for tag names, attribute names, attribute values, and text/cdata nodes).

I saw that the caller must unescaped text/cdata/attribute values, and this comment that the caller must decode the character encoding.

Next question: what is BytesStart::unescaped for? It says it handles escapes/entities like < but that doesn't make sense to me. Is this the right grammar for the XML tag name from the spec?

NameStartChar ::= ":" | [A-Z] | "_" | [a-z] | [#xC0-#xD6] | [#xD8-#xF6] | [#xF8-#x2FF] | [#x370-#x37D] | [#x37F-#x1FFF] | [#x200C-#x200D] | [#x2070-#x218F] | [#x2C00-#x2FEF] | [#x3001-#xD7FF] | [#xF900-#xFDCF] | [#xFDF0-#xFFFD] | [#x10000-#xEFFFF]
NameChar ::= NameStartChar | "-" | "." | [0-9] | #xB7 | [#x0300-#x036F] | [#x203F-#x2040]
Name ::= NameStartChar (NameChar)*

It looks like a & (aka #x26) isn't allowed. So why unescape? or what am I missing?

[Mingun]

Actually, that method gives you all internal content of a tag (i.e. name + attributes). As such, it could have been intended in order to expand entities in all attributes in one pass. Probably we should remove it and provide other ways to get normalized attribute value (see also #371)

[Mingun]

Duplicate of #118

[kornelski]

I suggest to deprecate or remove this method. I don't see any valid use for it. Entities are not allowed in tag names, and unescaping of attributes as a whole allows injection:

<foo real="1&quot; fake=&quot;2"/>

unescapes to:

<foo real="1" fake="2"/>