On 2009-07-26 03:56, Aryeh Gregor wrote:
There's no substitute for real escaping here. What if the developer
decided that a better value is something like:
Please enter your "login" name here
Who is talking about substitution? I am not talking about server side
scripting practices as a whole. I said that escaping is no substitution
for using quotes, since one can not expect developers to escape space
characters. That's all.
Or whatever. If you're not sure what the input is, you have to
programmatically escape it. Once you're programmatically escaping it,
your escaping function can add the quotes, and can add them only when
necessary (or always, or whatever you prefer).
And I think adding quotes is better handled in the presentation logic,
than in the business logic. It is more the responsibility of the front
end engineer, than of the back end developer.
But it really does not matter. There should be an easy way to enforce
it, no matter what code generates the quotation marks. I don't think
such an enforcement is a panacea to all problems, but it's a small help
for some problems, quite common for rookies, though.
Please do not argue against it on the failed merits of not being able to
substitute indata filtering and output escaping. Those factors are not
part of this equation.
I think my suggestion is totally analogous to e.g. semi-colon insertion in
ECMAScript. JSLint demands that those should be present, and I've yet to
hear anyone say "it's a matter of style".
Well, I'm going to say it's a matter of style there, too. The
dominant convention in Python, for instance, is to omit semicolons.
So, you are using python, a language that enforces specific indentation
to define block statements, to say that JSLint has got it all wrong?
Douglas Crockford, and every other JavaScript guru I know, have
identified using semi-colons as best practice - for JavaScript.
My analogy was simply this: Just like it makes sense for a JavaScript
lint tool to enforce semi-colons, it makes sense for an HTML conformance
checker to enforce quotation marks.
Always? No, not for boolean attributes and *perhaps* not for attributes
that by design never can take anything but a simple keyword or integer
as a value.
I think I've stated my case by now. So until I hear from Ian (who writes
the spec) or Henri, who is authoring the validator, I think we've
reached the end of this discussion.
--
Keryx Web (Lars Gunther)
http://keryx.se/
http://twitter.com/itpastorn/
http://itpastorn.blogspot.com/
