[whatwg] Make quoted attributes a conformance criterion

Keryx Web webmaster at keryx.se
Sat Jul 25 02:47:57 PDT 2009


On 2009-07-25 05:55, Bil Corry wrote:
>  it's still a best practice to encode/sanitize the value

Speaking (once again) as someone who has had students in this position a 
lot of times (and myself a few times) this does not cover all use cases.

Consider this PHP template:

<input type=text value=$login name=login>

Value is the suggested text, if no user data is available it says 
"login". Otherwise its the users login name (no spaces allowed). All is 
well.

One day a developer decides that "login name" is a better value, and 
hard codes it into the PHP business logic, producing this HTML:

<input type=text value=login name name=login>

All of a sudden you *effectively* have produced this:

<input type=text value=login name="">

And it stops working.

Now, what would have been easier to avoid this? Url-encoding hard coded 
variable data, or adding two quotation marks to the template?

Bottom line:

I think my suggestion is totally analogous to e.g. semi-colon insertion 
in ECMAScript. JSLint demands that those should be present, and I've yet 
to hear anyone say "it's a matter of style". Omitting semi-colons is a 
known cause of trouble in ECMAScript. Omitting quotation marks is a 
known cause of trouble in HTML.

Choosing between robustness and saving a few bytes, one should always 
opt for the former.

-- 
Keryx Web (Lars Gunther)
http://keryx.se/
http://twitter.com/itpastorn/
http://itpastorn.blogspot.com/


More information about the whatwg mailing list