On Wed, Jul 14, 2010 at 10:49:33AM -0700, Mike Orr wrote:
> [1] The security issue is that single quotes are not escaped, so that
> the value in <div class='${foo}'> gets ended prematurely if foo
> contains a single quote. But that's invalid HTML anyway because you're
> supposed to use double quotes, not single quotes, around an attribute
> value.
The HTML 4 specification says you can use either:
By default, SGML requires that all attribute values be delimited using
either double quotation marks (ASCII decimal 34) or single quotation
marks (ASCII decimal 39). Single quote marks can be included within
the attribute value when the value is delimited by double quote marks,
and vice versa. Authors may also use numeric character references to
represent double quotes (") and single quotes ('). For double
quotes authors can also use the character entity reference ".
-- http://www.w3.org/TR/html401/intro/sgmltut.html#h-3.2.2
> I didn't know anybody used single quotes until Ben brought it
> up.
Marius Gedminas
--
C, n:
A programming language that is sort of like Pascal except more like
assembly except that it isn't very much like either one, or anything
else. It is either the best language available to the art today, or
it isn't.
-- Ray Simard
signature.asc
Description: Digital signature
