[whatwg] Make quoted attributes a conformance criterion

On Sat, Jul 25, 2009 at 5:47 AM, Keryx Web<webmaster at keryx.se> wrote:
> Consider this PHP template:
>
> <input type=text value=$login name=login>
>
> Value is the suggested text, if no user data is available it says "login".
> Otherwise its the users login name (no spaces allowed). All is well.
>
> One day a developer decides that "login name" is a better value, and hard
> codes it into the PHP business logic, producing this HTML:
>
> <input type=text value=login name name=login>

There's no substitute for real escaping here.  What if the developer
decided that a better value is something like:

Please enter your "login" name here

Or whatever.  If you're not sure what the input is, you have to
programmatically escape it.  Once you're programmatically escaping it,
your escaping function can add the quotes, and can add them only when
necessary (or always, or whatever you prefer).

> I think my suggestion is totally analogous to e.g. semi-colon insertion in
> ECMAScript. JSLint demands that those should be present, and I've yet to
> hear anyone say "it's a matter of style".

Well, I'm going to say it's a matter of style there, too.  The
dominant convention in Python, for instance, is to omit semicolons.

Received on Saturday, 25 July 2009 18:56:05 UTC