- From: Keryx Web <webmaster@keryx.se>
- Date: Sat, 25 Jul 2009 11:47:57 +0200
On 2009-07-25 05:55, Bil Corry wrote: > it's still a best practice to encode/sanitize the value Speaking (once again) as someone who has had students in this position a lot of times (and myself a few times) this does not cover all use cases. Consider this PHP template: <input type=text value=$login name=login> Value is the suggested text, if no user data is available it says "login". Otherwise its the users login name (no spaces allowed). All is well. One day a developer decides that "login name" is a better value, and hard codes it into the PHP business logic, producing this HTML: <input type=text value=login name name=login> All of a sudden you *effectively* have produced this: <input type=text value=login name=""> And it stops working. Now, what would have been easier to avoid this? Url-encoding hard coded variable data, or adding two quotation marks to the template? Bottom line: I think my suggestion is totally analogous to e.g. semi-colon insertion in ECMAScript. JSLint demands that those should be present, and I've yet to hear anyone say "it's a matter of style". Omitting semi-colons is a known cause of trouble in ECMAScript. Omitting quotation marks is a known cause of trouble in HTML. Choosing between robustness and saving a few bytes, one should always opt for the former. -- Keryx Web (Lars Gunther) http://keryx.se/ http://twitter.com/itpastorn/ http://itpastorn.blogspot.com/
Received on Saturday, 25 July 2009 02:47:57 UTC