W3C home > Mailing lists > Public > whatwg@whatwg.org > July 2009

[whatwg] Make quoted attributes a conformance criterion

From: Keryx Web <webmaster@keryx.se>
Date: Sun, 26 Jul 2009 11:15:37 +0200
Message-ID: <4A6C1EB9.7080406@keryx.se>
On 2009-07-26 03:56, Aryeh Gregor wrote:
> There's no substitute for real escaping here.  What if the developer
> decided that a better value is something like:
>
> Please enter your "login" name here

Who is talking about substitution? I am not talking about server side 
scripting practices as a whole. I said that escaping is no substitution 
for using quotes, since one can not expect developers to escape space 
characters. That's all.

> Or whatever.  If you're not sure what the input is, you have to
> programmatically escape it.  Once you're programmatically escaping it,
> your escaping function can add the quotes, and can add them only when
> necessary (or always, or whatever you prefer).

And I think adding quotes is better handled in the presentation logic, 
than in the business logic. It is more the responsibility of the front 
end engineer, than of the back end developer.

But it really does not matter. There should be an easy way to enforce 
it, no matter what code generates the quotation marks. I don't think 
such an enforcement is a panacea to all problems, but it's a small help 
for some problems, quite common for rookies, though.

Please do not argue against it on the failed merits of not being able to 
substitute indata filtering and output escaping. Those factors are not 
part of this equation.

>> I think my suggestion is totally analogous to e.g. semi-colon insertion in
>> ECMAScript. JSLint demands that those should be present, and I've yet to
>> hear anyone say "it's a matter of style".
>
> Well, I'm going to say it's a matter of style there, too.  The
> dominant convention in Python, for instance, is to omit semicolons.

So, you are using python, a language that enforces specific indentation 
to define block statements, to say that JSLint has got it all wrong? 
Douglas Crockford, and every other JavaScript guru I know, have 
identified using semi-colons as best practice - for JavaScript.

My analogy was simply this: Just like it makes sense for a JavaScript 
lint tool to enforce semi-colons, it makes sense for an HTML conformance 
checker to enforce quotation marks.

Always? No, not for boolean attributes and *perhaps* not for attributes 
that by design never can take anything but a simple keyword or integer 
as a value.

I think I've stated my case by now. So until I hear from Ian (who writes 
the spec) or Henri, who is authoring the validator, I think we've 
reached the end of this discussion.


-- 
Keryx Web (Lars Gunther)
http://keryx.se/
http://twitter.com/itpastorn/
http://itpastorn.blogspot.com/
Received on Sunday, 26 July 2009 02:15:37 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:14 UTC