[whatwg] Make quoted attributes a conformance criterion
Keryx Web
webmaster at keryx.se
Sat Jul 25 02:47:57 PDT 2009
On 2009-07-25 05:55, Bil Corry wrote:
> it's still a best practice to encode/sanitize the value
Speaking (once again) as someone who has had students in this position a
lot of times (and myself a few times) this does not cover all use cases.
Consider this PHP template:
<input type=text value=$login name=login>
Value is the suggested text, if no user data is available it says
"login". Otherwise its the users login name (no spaces allowed). All is
well.
One day a developer decides that "login name" is a better value, and
hard codes it into the PHP business logic, producing this HTML:
<input type=text value=login name name=login>
All of a sudden you *effectively* have produced this:
<input type=text value=login name="">
And it stops working.
Now, what would have been easier to avoid this? Url-encoding hard coded
variable data, or adding two quotation marks to the template?
Bottom line:
I think my suggestion is totally analogous to e.g. semi-colon insertion
in ECMAScript. JSLint demands that those should be present, and I've yet
to hear anyone say "it's a matter of style". Omitting semi-colons is a
known cause of trouble in ECMAScript. Omitting quotation marks is a
known cause of trouble in HTML.
Choosing between robustness and saving a few bytes, one should always
opt for the former.
--
Keryx Web (Lars Gunther)
http://keryx.se/
http://twitter.com/itpastorn/
http://itpastorn.blogspot.com/
More information about the whatwg
mailing list