[whatwg] Encoding Standard (mostly complete)
And Clover
and-py at doxdesk.com
Thu Apr 19 06:11:44 PDT 2012
On 2012-04-18 22:34, Glenn Maynard wrote:
> (It would be pretty neat if that could be changed to *always* using HTML
> escapes for non-ASCII, except when encoding to UTF-8, since that's not
> introducing anything new--you can already receive&x1234; escapes in POST
> data--and it would alleviate the "form submit encoding depends on the
> source page's encoding" problem. I guess this must break pages somehow, or
> vendors would have done this long ago.)
It naturally would break any page that's deliberately using a non-UTF
encoding. Web applications do not - and should not be -
HTML-character-reference-decoding their input because this would mangle
literal use of & characters (which are *not* escaped to &). There is
no way to correctly recover a value that has been through this form of
lossy encoding.
The charref-encoding-fallback is an ugly legacy hack that confuses web
authors and tempts them into using submitted strings directly without
HTML-escaping, resulting in security holes. Its use should be minimised
wherever possible.
--
And Clover
mailto:and at doxdesk.com
http://www.doxdesk.com/
gtalk:chat?jid=bobince at gmail.com
More information about the whatwg
mailing list