[whatwg] input element list attribute and filtering suggestions from Aryeh Gregor on 2011-05-03 (public-whatwg-archive@w3.org from May 2011)

From: Aryeh Gregor <Simetrical+w3c@gmail.com>
Date: Tue, 3 May 2011 10:16:25 -0400
Message-ID: <BANLkTikD+g7nWeK6hbF0JAMR_1xkq6jZPA@mail.gmail.com>

On Mon, May 2, 2011 at 6:32 PM, Ian Hickson <ian at hixie.ch> wrote:
> I just meant that it would be a poor authoring experience. I agree that it
> should in theory be possible with the current API; it just seems that if
> that's the use case we want to address, we should instead just have
> people point to a URL and be done with it:
>
> ? <input type=text autosuggest="/cgi-bin/autocomplete.pl">
>
> ...or some such.

This is too inflexible.  It splits the logic between the browser and
server in a rigid way, and doesn't allow client-side script to have
any say.  It would be much more useful to have a script API that lets
you assign a list of suggestions to an input.  Basically the same
functionality as datalist, just easier to script.  This way, the
author has control over when and how the results are fetched and
displayed, can use any format on the server side, can retrieve results
from the client side if they like, etc.

There's no need to use the subjunctive here, by the way.  As I said, I
did actually write such a search-suggestion thing for MediaWiki using
the datalist API, and it works great in Firefox 4 as far as I can
tell.  It was just complicated unnecessarily by the need to add
datalist elements to the DOM instead of plugging a list directly into
the input.

On Mon, May 2, 2011 at 8:22 PM, Jonas Sicking <jonas at sicking.cc> wrote:
> I'd also be worried about making it possible to write keyloggers on
> sites that filter out scripts, but do allow form controls to be
> inserted.

This has to be a secondary concern, though -- we realistically can't
worry *too* much about sites that blacklist attributes or elements in
user input instead of whitelisting.  Especially when you're talking
about allowing form controls, which is uncommon and poses security
risks regardless (phishing/CSRF type stuff).  All else being equal, we
should avoid such new attributes, but not if they're the best solution
available for a problem.  Otherwise we could really hamper our ability
to add new features to the platform, for the sake of a security model
that's fundamentally broken anyway.

> It seems to me that a simple boolean attribute and a few lines of
> script solves 80% of the use cases.

What boolean attribute would that be?

Received on Tuesday, 3 May 2011 07:16:25 UTC