Re: passing angle brackets in form parameters?

Steven J. DeRose (sjd@ebt.com)
Mon, 24 Apr 1995 11:49:43 -0500


Message-Id: <199504241638.MAA00494@ebt-inc.ebt.com>
Date: Mon, 24 Apr 1995 11:49:43 -0500
To: narnett@verity.com, Multiple recipients of list <www-html@www10.w3.org>
From: sjd@ebt.com (Steven J. DeRose)
Subject: Re: passing angle brackets in form parameters?

At  4:12 PM 4/17/95 +0500, Nick Arnett wrote:
>What is the officially correct, legal way to encode angle brackets in form
>parameters?
>
>Let's say, for example, that one wanted to write the following in one's
>HTML form:
>
><INPUT type=hidden name=accessquestion value="vdkvgwkey contains /WWW-talk/">
>
>..but one wanted to surround the word "contains" with angle brackets.
>With the browser I'm using, I seem to be required to use the HTML method of
>encoding them... to wit:
>
><INPUT type=hidden name=accessquestion value="vdkvgwkey &lt;contains&gt;
>/WWW-talk/">
>
>However, some evil browser out there (I haven't compared the logs to figure
>out which) seems to pass the literals to the server, which proceeds to
>complain mightily about illegal characters.  Actually, the server in
>question here is not the Web daemon, it's our search gizmo, but that
>doesn't really matter; the client is possibly misbehaving.  Or I am.

You can find in the SGML standard that pointy brackets are not recognized
as markup within an attribute value. This is one reason attributes that
contain special characters have to be quoted. Since the HTML specification
defines HTML as an application of SGML, you can just put the the angle
brackets in there in HTML. It is also permissible to use entity references,
but it is not necessary in this case (it would be necessary, for example,
if you wanted to include both single and double quotes inside a quoted
literal, for obvious reasons). 

If a particular browser implemented its HTML parser incorrectly, you may
want to ask them to fix it to become interoperable.

Steve DeRose
EBT