W3C home > Mailing lists > Public > whatwg@whatwg.org > July 2009

[whatwg] Make quoted attributes a conformance criterion

From: Aryeh Gregor <Simetrical+w3c@gmail.com>
Date: Sun, 26 Jul 2009 10:18:09 -0400
Message-ID: <7c2a12e20907260718p7f1dc120tc59805ee9150e620@mail.gmail.com>
On Sun, Jul 26, 2009 at 5:15 AM, Keryx Web<webmaster at keryx.se> wrote:
> Who is talking about substitution? I am not talking about server side
> scripting practices as a whole. I said that escaping is no substitution for
> using quotes, since one can not expect developers to escape space
> characters. That's all.

Since you're escaping anyway, you can just have the escaping function
add the quotes (if needed).  So the issue won't arise.

> And I think adding quotes is better handled in the presentation logic, than
> in the business logic. It is more the responsibility of the front end
> engineer, than of the back end developer.

Why?  If the escaping function doesn't add the quotes, you run into
the possibility of a situation where the front-end developer omits the
quotes, and nothing bad happens until a value with spaces is used --
since regardless of best practices or the advice of conformance
checkers, browsers *will* accept unquoted values without complaint.

If the escaping function does add the quotes, on the other hand, then
the worst the front-end developer can do would be to add extra quotes.
 That would either cause the value to be empty (e.g. id=""foo""), or
be treated as invalid (e.g. style="'color:red'"), or work but have
extra quotes in it (e.g. title="'Hello'"), in any case much more
easily noticeable.  Having the escaping function add the quotes is
thus a better policy.

> So, you are using python, a language that enforces specific indentation to
> define block statements, to say that JSLint has got it all wrong? Douglas
> Crockford, and every other JavaScript guru I know, have identified using
> semi-colons as best practice - for JavaScript.

Roughly every Python guru out there identifies using spaces instead of
tabs as best practice in Python.  That doesn't mean it has any
intrinsic merit.  It's just a stylistic convention.

> I think I've stated my case by now. So until I hear from Ian (who writes the
> spec) or Henri, who is authoring the validator, I think we've reached the
> end of this discussion.

Agreed.
Received on Sunday, 26 July 2009 07:18:09 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:14 UTC