[whatwg] Web Forms 2.0 comments

Ian Hickson wrote:
>>Going right against the ideas for other useful ways to use this other
>>index, I think the parsing of [ID] (and, if included, {DOMORDER}) should
>>be limited to just the "for", "headers", "id", "name" and "template"
>>attributes (and maybe also "cite", "href" and "src"), or at least to
>>exclude the "value" attribute. I am aware of more than one clumsily
>>coded web application which utilizes multiple screens and stores the
>>received values from the previous screen in the value of a hidden input
>>element. It is quite imaginable for such received input to include text
>>between square brackets which would match the id of a repetition
>>template, with obviously disastrous results. Although this problem is
>>mitigated by most such hidden inputs _probably_ not being included in
>>repetition templates, I can still imagine use cases where this can
>>happen. (Multiple search engine submission forms being one of them.)
> 
> 
> Ouch, good point, a template might well include user-entered data that
> might match that string. For that matter a script might contain [foo]
> which happens to be the ID of the template.
> 
> I'm somewhat reluctant to just say "only do these attributes" since
> there's bound to be use cases where you need to do it that haven't been
> covered. Like, in fact, value (there are some interesting use cases that
> involve only using it in value, instead of name, and some cases where
> you would want to affect the scripts).
> 
> Any other ideas for solving this?

Well, it could be done like boundaries in MIME -- you don't provide an 
quoting mechanism, but you allow for explicit replacement values that 
can be arbitrarily unlikely to occur.  E.g.:

<tr template="whatever" template-replace="somelongstring">
  <input name="phone_somelongstring"...>
</tr>

This is obnoxious, but at least explicit and potentially robust (but 
only potentially, not necessarily).

This is somewhat reminiscent of Zope Page Templates, where it would be 
something like:

<tr template="whatever">
   <input template-attributes="name phone_[whatever]"...>
</tr>

In TAL you use ; to define multiple attributes, but the expressions 
aren't free-form strings so ; can be avoided.  That's not the case here 
-- but then, it's not that big a deal, since this makes attribute 
substitution explicit.  Namespaces would be simpler still, but I don't 
know that this is an appropriate use of namespaces:

<tr template="whatever">
   <input template:name="phone_[whatever]"...>
</tr>

   Ian

Received on Tuesday, 15 June 2004 09:32:48 UTC