control-value() is morally equivalent to attr(), just with some special handling of the values since we know something about types. So, it should work identically to attr():

• it's an "arbitrary substitution function"
• it has the same tainting behavior as attr() (and so can't be used in a URL)