- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Fri, 20 Oct 2006 03:57:50 +0200
* Ian Hickson wrote: >On Fri, 20 Oct 2006, Bjoern Hoehrmann wrote: >> >> * Ian Hickson wrote: >> >It is very common to see markup such as: >> > >> > <a href=http://example.com/>Example</a> >> > >> >I don't see any good reason to make that non-conforming in HTML5. >> >> It is very common to see code such as: >> >> echo "<foo bar=" . htmlescape($userinput) . ">..."; > >...and that will also be compliant, assuming $userinput doesn't have any >spaces or ">" characters in it. We can't do much about the case where it >has spaces or ">" characters in it, since we are constrained by how legacy >UAs parse HTML. But neither of that makes the problem above not a good reason to make the case above non-conforming. I don't claim this is a good enough reason to change the draft, but you were just asking for a good reason, and this is one. You see, certain HTML advocates claim that the lack of a requirement to quote attribute values is a cool feature, and if you refuse to quote them you are cool. If you adopt that thought, and just remember that you have to escape user input before echoing it, you'll write code as above--which is very bad. If the markup above comes from some kind of script, and the document is checked by a HTML 4.01 checker, the checker will complain, you'd go fix your script and have removed the problem. A "HTML5" checker probably won't complain and the author won't fix the script for a long time. I would expect the specification to at least have a strong warning that unquoted attribute values can be dangerous and should be avoided in dynamically generated code. -- Bj?rn H?hrmann ? mailto:bjoern at hoehrmann.de ? http://bjoern.hoehrmann.de Weinh. Str. 22 ? Telefon: +49(0)621/4309674 ? http://www.bjoernsworld.de 68309 Mannheim ? PGP Pub. KeyID: 0xA4357E78 ? http://www.websitedev.de/
Received on Thursday, 19 October 2006 18:57:50 UTC