- From: Aryeh Gregor <Simetrical+w3c@gmail.com>
- Date: Sat, 25 Jul 2009 21:56:05 -0400
On Sat, Jul 25, 2009 at 5:47 AM, Keryx Web<webmaster at keryx.se> wrote: > Consider this PHP template: > > <input type=text value=$login name=login> > > Value is the suggested text, if no user data is available it says "login". > Otherwise its the users login name (no spaces allowed). All is well. > > One day a developer decides that "login name" is a better value, and hard > codes it into the PHP business logic, producing this HTML: > > <input type=text value=login name name=login> There's no substitute for real escaping here. What if the developer decided that a better value is something like: Please enter your "login" name here Or whatever. If you're not sure what the input is, you have to programmatically escape it. Once you're programmatically escaping it, your escaping function can add the quotes, and can add them only when necessary (or always, or whatever you prefer). > I think my suggestion is totally analogous to e.g. semi-colon insertion in > ECMAScript. JSLint demands that those should be present, and I've yet to > hear anyone say "it's a matter of style". Well, I'm going to say it's a matter of style there, too. The dominant convention in Python, for instance, is to omit semicolons.
Received on Saturday, 25 July 2009 18:56:05 UTC