- From: Aryeh Gregor <Simetrical+w3c@gmail.com>
- Date: Sun, 26 Jul 2009 10:18:09 -0400
On Sun, Jul 26, 2009 at 5:15 AM, Keryx Web<webmaster at keryx.se> wrote: > Who is talking about substitution? I am not talking about server side > scripting practices as a whole. I said that escaping is no substitution for > using quotes, since one can not expect developers to escape space > characters. That's all. Since you're escaping anyway, you can just have the escaping function add the quotes (if needed). So the issue won't arise. > And I think adding quotes is better handled in the presentation logic, than > in the business logic. It is more the responsibility of the front end > engineer, than of the back end developer. Why? If the escaping function doesn't add the quotes, you run into the possibility of a situation where the front-end developer omits the quotes, and nothing bad happens until a value with spaces is used -- since regardless of best practices or the advice of conformance checkers, browsers *will* accept unquoted values without complaint. If the escaping function does add the quotes, on the other hand, then the worst the front-end developer can do would be to add extra quotes. That would either cause the value to be empty (e.g. id=""foo""), or be treated as invalid (e.g. style="'color:red'"), or work but have extra quotes in it (e.g. title="'Hello'"), in any case much more easily noticeable. Having the escaping function add the quotes is thus a better policy. > So, you are using python, a language that enforces specific indentation to > define block statements, to say that JSLint has got it all wrong? Douglas > Crockford, and every other JavaScript guru I know, have identified using > semi-colons as best practice - for JavaScript. Roughly every Python guru out there identifies using spaces instead of tabs as best practice in Python. That doesn't mean it has any intrinsic merit. It's just a stylistic convention. > I think I've stated my case by now. So until I hear from Ian (who writes the > spec) or Henri, who is authoring the validator, I think we've reached the > end of this discussion. Agreed.
Received on Sunday, 26 July 2009 07:18:09 UTC