W3C home > Mailing lists > Public > whatwg@whatwg.org > July 2009

[whatwg] Make quoted attributes a conformance criterion

From: Keryx Web <webmaster@keryx.se>
Date: Sat, 25 Jul 2009 11:47:57 +0200
Message-ID: <4A6AD4CD.8020305@keryx.se>
On 2009-07-25 05:55, Bil Corry wrote:
>  it's still a best practice to encode/sanitize the value

Speaking (once again) as someone who has had students in this position a 
lot of times (and myself a few times) this does not cover all use cases.

Consider this PHP template:

<input type=text value=$login name=login>

Value is the suggested text, if no user data is available it says 
"login". Otherwise its the users login name (no spaces allowed). All is 
well.

One day a developer decides that "login name" is a better value, and 
hard codes it into the PHP business logic, producing this HTML:

<input type=text value=login name name=login>

All of a sudden you *effectively* have produced this:

<input type=text value=login name="">

And it stops working.

Now, what would have been easier to avoid this? Url-encoding hard coded 
variable data, or adding two quotation marks to the template?

Bottom line:

I think my suggestion is totally analogous to e.g. semi-colon insertion 
in ECMAScript. JSLint demands that those should be present, and I've yet 
to hear anyone say "it's a matter of style". Omitting semi-colons is a 
known cause of trouble in ECMAScript. Omitting quotation marks is a 
known cause of trouble in HTML.

Choosing between robustness and saving a few bytes, one should always 
opt for the former.

-- 
Keryx Web (Lars Gunther)
http://keryx.se/
http://twitter.com/itpastorn/
http://itpastorn.blogspot.com/
Received on Saturday, 25 July 2009 02:47:57 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:14 UTC