水無月ばけらのえび日記

スタイル属性中で、ある処理系が、危険な文字列として、「background」を認識し、これをフィルターしているとします。しかしながら、「bac\kground」は透過してしまうかもしれません。多くのブラウザは、これを「background」として処理します。しかしながら、これはＣＳＳの仕様上、おかしな話しです。いや、規定されていないので、ブラウザのメーカが適宜解釈して実装しているのかもしれません。

以上、スターダストさんのhoshikuzu|stardustの書斎 2003-12-13 Vulnerability Note VU#707100 より

In CSS2, a backslash (\) character indicates three types of character escapes.

First, inside a string, a backslash followed by a newline is ignored (i.e., the string is deemed not to contain either the backslash or the newline).

Second, it cancels the meaning of special CSS characters. Any character (except a hexadecimal digit) can be escaped with a backslash to remove its special meaning. For example, "\"" is a string consisting of one double quote. Style sheet preprocessors must not remove these backslashes from a style sheet since that would change the style sheet's meaning.

Third, backslash escapes allow authors to refer to characters they can't easily put in a document. In this case, the backslash is followed by at most six hexadecimal digits (0..9A..F), which stand for the ISO 10646 ([ISO10646]) character with that number. If a digit or letter follows the hexadecimal number, the end of the number needs to be made clear.

以上、CSS2 4.1.3 Characters and case より