Re: ACTION 614-12: Smart Quotes

On 2015-09-11 14:33, Michael Dyck wrote:
he non-interpolating one is less useful.
> 
> But if you discard the non-interpolating one, how do you achieve its 
> effect?

You use the interpolating one, and make sure the delimiter doesn't occur 
inside it,
or you use string concatenation.

The interpolating version should be fine for the JSON, JavaScript and 
CSS cases,
which are currently very error-prone and difficult in XQuery because of 
their mix
of curly braces, < > and $, and quotes... fine as long as the delimiter 
is unlikely
to occur. If it does occur you can use string concatenation of two 
"smart quotes" blocks.

There's a small danger here of interpolation injection attacks, in the 
case that people are generating queries and think they can use ~~{ .... 
}~~ (or whatever) to avoid having to sanitize user data. This is 
comparable to CDATA injection, and exists with all kinds of quoting 
mechanisms.

By not having the non-interpolating version we're not losing 
functionality we had before, but we are also not gaining quite as much 
expressive power - I agree.


-- 
Liam Quin, W3C
XML Activity Lead;
Digital publishing; HTML Accessibility

Received on Friday, 11 September 2015 18:52:06 UTC