escaping attribute values - required in HTML4.01 Strict?

Discussion in 'HTML' started by Joshua Beall, Apr 16, 2004.

  1. Joshua Beall

    Joshua Beall Guest

    Hi,

    I am using a javascript tool to allow clients to edit content boxes on their
    sites (http://www.interactivetools.com/products/htmlarea/). However, I
    noticed that it does not escape attribute values, even when you copy paste a
    bit of code. For instance, if you copy paste a section <p
    class="paraTitle">Lorem ipsum</p>, then view the source, it winds up <p
    class=paraTitle>Lorem Ipsum</p>

    My question is, how concerned should I be by this? IE6 and Mozilla 1.5/1.6
    both seem to handle it fine. Are there browsers that are going to choke on
    this?

    -Josh
    Joshua Beall, Apr 16, 2004
    #1
    1. Advertising

  2. Joshua Beall

    Adrienne Guest

    Gazing into my crystal ball I observed "Joshua Beall"
    <> writing in
    news:4sYfc.836$:

    > Hi,
    >
    > I am using a javascript tool to allow clients to edit content boxes on
    > their sites (http://www.interactivetools.com/products/htmlarea/).
    > However, I noticed that it does not escape attribute values, even when
    > you copy paste a bit of code. For instance, if you copy paste a
    > section <p class="paraTitle">Lorem ipsum</p>, then view the source, it
    > winds up <p class=paraTitle>Lorem Ipsum</p>
    >
    > My question is, how concerned should I be by this? IE6 and Mozilla
    > 1.5/1.6 both seem to handle it fine. Are there browsers that are going
    > to choke on this?
    >
    > -Josh
    >
    >
    >


    Opera cannot use it at all. It can use the text area as a plain text area,
    but it does not render the menu bar or the styled text.

    --
    Adrienne Boswell
    Please respond to the group so others can share
    http://www.arbpen.com
    Adrienne, Apr 18, 2004
    #2
    1. Advertising

  3. Joshua Beall

    Joshua Beall Guest

    "Adrienne" <> wrote in message
    news:Xns94CF6BB5940AEarbpenyahoocom@207.115.63.158...
    > Opera cannot use it at all. It can use the text area as a plain text

    area,
    > but it does not render the menu bar or the styled text.


    If I understand what you are saying, Opera cannot render the editor. This
    is not what I was asking.

    I want to know if having unescaped parameters (e.g., <p class="paraTitle">)
    is going to cause problems.

    ?
    Joshua Beall, Apr 18, 2004
    #3
  4. Joshua Beall

    Mark Parnell Guest

    On Sun, 18 Apr 2004 21:06:17 GMT, "Joshua Beall"
    <> declared in alt.html:

    > I want to know if having unescaped parameters (e.g., <p class="paraTitle">)
    > is going to cause problems.


    I assume you mean unquoted, not unescaped.

    In HTML, attributes don't have to be quoted as long as they only contain
    letters, numbers, and a couple of other characters.
    http://www.w3.org/TR/html4/intro/sgmltut.html#idx-attribute-6
    In XHTML, all attributes are required to be quoted.
    http://www.w3.org/TR/xhtml1/#h-4.4

    I would say you need to escape the quotes in your Javascript (e.g. <p
    class=/"paraTitle/"> so that they make it through to the output.

    --
    Mark Parnell
    http://www.clarkecomputers.com.au
    Mark Parnell, Apr 19, 2004
    #4
  5. Joshua Beall

    Joshua Beall Guest

    "Mark Parnell" <> wrote in message
    news:83iy9cymvy40$.1fs5c8w5reehe$...
    > On Sun, 18 Apr 2004 21:06:17 GMT, "Joshua Beall"
    > <> declared in alt.html:
    >
    > > I want to know if having unescaped parameters (e.g., <p

    class="paraTitle">)
    > > is going to cause problems.

    >
    > I assume you mean unquoted, not unescaped.


    Yeah, apparently my fingers work faster than my brain. I meant unquoted.

    > In HTML, attributes don't have to be quoted as long as they only contain
    > letters, numbers, and a couple of other characters.
    > http://www.w3.org/TR/html4/intro/sgmltut.html#idx-attribute-6
    > In XHTML, all attributes are required to be quoted.
    > http://www.w3.org/TR/xhtml1/#h-4.4
    >
    > I would say you need to escape the quotes in your Javascript (e.g. <p
    > class=/"paraTitle/"> so that they make it through to the output.


    I did not actual write the script I am using; I would actually like to
    rewrite it in Java, but I am not sure when I will have time for that. But I
    would much rather be dependent on the user having a VM (that runs on any
    platform), than being dependent on IE6 (which runs only on *that*
    platform...), which is the current situation. And even a cross-browser JS
    script is going to be shaky, since it has to account for different browsers.
    By running on a VM, I only need a browser that can pass off applets to the
    VM.

    But that is in the "someday" category of my things to do list. Oh well :-/
    Joshua Beall, Apr 19, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mark
    Replies:
    1
    Views:
    370
    kchayka
    Jul 25, 2003
  2. EARLE
    Replies:
    1
    Views:
    396
    =?iso-8859-1?Q?brucie?=
    Sep 28, 2003
  3. rblah
    Replies:
    3
    Views:
    442
    Peter Flynn
    Jan 18, 2004
  4. Alan Silver
    Replies:
    3
    Views:
    366
    Alan Silver
    Jun 7, 2006
  5. killy971
    Replies:
    21
    Views:
    1,726
    dorayme
    Aug 15, 2008
Loading...

Share This Page