- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 22 Jun 2004 13:10:47 +0000 (UTC)
On Tue, 15 Jun 2004, fantasai wrote: > > Change the replacement punctuation from "[id]" to "-.id.-" or ":-id-:" or > something like that. This has two advantages: > > a) The combination of that very unusual punctuation sequence (both > opening and closing) /and/ an exact match of the template ID is > going to be so rare as to be practically ignorable. Malicious users could trivially work out the combination that would break this, so I don't think that's a solution to the problem. > b) ID and NAME attributes using the replacement mechanism can still > be valid. That's a good point though. I'm not sure I like "-.id.-" or ":-id-:", or ".id:" or "_id-" or other combinations I've looked at, though. name="order-row_" name="order_row-" name="order.row:" name="order:row." name="order-row." ...hmm, none of those leap out at me. (I have to be honest, the fact that "order[row]" is not a valid ID is not a big deal for me... that restriction seems pretty arbitrary.) -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 22 June 2004 06:10:47 UTC