- From: Keryx Web <webmaster@keryx.se>
- Date: Sun, 26 Jul 2009 11:15:37 +0200
On 2009-07-26 03:56, Aryeh Gregor wrote: > There's no substitute for real escaping here. What if the developer > decided that a better value is something like: > > Please enter your "login" name here Who is talking about substitution? I am not talking about server side scripting practices as a whole. I said that escaping is no substitution for using quotes, since one can not expect developers to escape space characters. That's all. > Or whatever. If you're not sure what the input is, you have to > programmatically escape it. Once you're programmatically escaping it, > your escaping function can add the quotes, and can add them only when > necessary (or always, or whatever you prefer). And I think adding quotes is better handled in the presentation logic, than in the business logic. It is more the responsibility of the front end engineer, than of the back end developer. But it really does not matter. There should be an easy way to enforce it, no matter what code generates the quotation marks. I don't think such an enforcement is a panacea to all problems, but it's a small help for some problems, quite common for rookies, though. Please do not argue against it on the failed merits of not being able to substitute indata filtering and output escaping. Those factors are not part of this equation. >> I think my suggestion is totally analogous to e.g. semi-colon insertion in >> ECMAScript. JSLint demands that those should be present, and I've yet to >> hear anyone say "it's a matter of style". > > Well, I'm going to say it's a matter of style there, too. The > dominant convention in Python, for instance, is to omit semicolons. So, you are using python, a language that enforces specific indentation to define block statements, to say that JSLint has got it all wrong? Douglas Crockford, and every other JavaScript guru I know, have identified using semi-colons as best practice - for JavaScript. My analogy was simply this: Just like it makes sense for a JavaScript lint tool to enforce semi-colons, it makes sense for an HTML conformance checker to enforce quotation marks. Always? No, not for boolean attributes and *perhaps* not for attributes that by design never can take anything but a simple keyword or integer as a value. I think I've stated my case by now. So until I hear from Ian (who writes the spec) or Henri, who is authoring the validator, I think we've reached the end of this discussion. -- Keryx Web (Lars Gunther) http://keryx.se/ http://twitter.com/itpastorn/ http://itpastorn.blogspot.com/
Received on Sunday, 26 July 2009 02:15:37 UTC