[whatwg] Parsing: Disallow slashes in unquoted attribute values?
Bjoern Hoehrmann
derhoermi at gmx.net
Thu Oct 19 18:57:50 PDT 2006
* Ian Hickson wrote:
>On Fri, 20 Oct 2006, Bjoern Hoehrmann wrote:
>>
>> * Ian Hickson wrote:
>> >It is very common to see markup such as:
>> >
>> > <a href=http://example.com/>Example</a>
>> >
>> >I don't see any good reason to make that non-conforming in HTML5.
>>
>> It is very common to see code such as:
>>
>> echo "<foo bar=" . htmlescape($userinput) . ">...";
>
>...and that will also be compliant, assuming $userinput doesn't have any
>spaces or ">" characters in it. We can't do much about the case where it
>has spaces or ">" characters in it, since we are constrained by how legacy
>UAs parse HTML.
But neither of that makes the problem above not a good reason to make
the case above non-conforming. I don't claim this is a good enough
reason to change the draft, but you were just asking for a good reason,
and this is one. You see, certain HTML advocates claim that the lack of
a requirement to quote attribute values is a cool feature, and if you
refuse to quote them you are cool.
If you adopt that thought, and just remember that you have to escape
user input before echoing it, you'll write code as above--which is very
bad. If the markup above comes from some kind of script, and the
document is checked by a HTML 4.01 checker, the checker will complain,
you'd go fix your script and have removed the problem. A "HTML5" checker
probably won't complain and the author won't fix the script for a long
time. I would expect the specification to at least have a strong warning
that unquoted attribute values can be dangerous and should be avoided
in dynamically generated code.
--
Björn Höhrmann · mailto:bjoern at hoehrmann.de · http://bjoern.hoehrmann.de
Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de
68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
More information about the whatwg
mailing list