escaping attribute values - required in HTML4.01 Strict?

Joshua Beall · Apr 16, 2004

Hi,

I am using a javascript tool to allow clients to edit content boxes on their
sites (http://www.interactivetools.com/products/htmlarea/). However, I
noticed that it does not escape attribute values, even when you copy paste a
bit of code. For instance, if you copy paste a section Lorem ipsum, then view the source, it winds up Lorem Ipsum

My question is, how concerned should I be by this? IE6 and Mozilla 1.5/1.6
both seem to handle it fine. Are there browsers that are going to choke on
this?

-Josh

Adrienne · Apr 18, 2004

Hi,

I am using a javascript tool to allow clients to edit content boxes on
their sites (http://www.interactivetools.com/products/htmlarea/).
However, I noticed that it does not escape attribute values, even when
you copy paste a bit of code. For instance, if you copy paste a
section Lorem ipsum, then view the source, it
winds up Lorem Ipsum

My question is, how concerned should I be by this? IE6 and Mozilla
1.5/1.6 both seem to handle it fine. Are there browsers that are going
to choke on this?

-Josh

Opera cannot use it at all. It can use the text area as a plain text area,
but it does not render the menu bar or the styled text.

Joshua Beall · Apr 18, 2004

Adrienne said:
Opera cannot use it at all. It can use the text area as a plain text area,
but it does not render the menu bar or the styled text.

If I understand what you are saying, Opera cannot render the editor. This
is not what I was asking.

I want to know if having unescaped parameters (e.g., )
is going to cause problems.

?

Mark Parnell · Apr 19, 2004

I want to know if having unescaped parameters (e.g., )
is going to cause problems.

I assume you mean unquoted, not unescaped.

In HTML, attributes don't have to be quoted as long as they only contain
letters, numbers, and a couple of other characters.
http://www.w3.org/TR/html4/intro/sgmltut.html#idx-attribute-6
In XHTML, all attributes are required to be quoted.
http://www.w3.org/TR/xhtml1/#h-4.4

I would say you need to escape the quotes in your Javascript (e.g. so that they make it through to the output.

Joshua Beall · Apr 19, 2004

Mark Parnell said:
I assume you mean unquoted, not unescaped.

Yeah, apparently my fingers work faster than my brain. I meant unquoted.

In HTML, attributes don't have to be quoted as long as they only contain
letters, numbers, and a couple of other characters.
http://www.w3.org/TR/html4/intro/sgmltut.html#idx-attribute-6
In XHTML, all attributes are required to be quoted.
http://www.w3.org/TR/xhtml1/#h-4.4

I would say you need to escape the quotes in your Javascript (e.g. so that they make it through to the output.

I did not actual write the script I am using; I would actually like to
rewrite it in Java, but I am not sure when I will have time for that. But I
would much rather be dependent on the user having a VM (that runs on any
platform), than being dependent on IE6 (which runs only on *that*
platform...), which is the current situation. And even a cross-browser JS
script is going to be shaky, since it has to account for different browsers.
By running on a VM, I only need a browser that can pass off applets to the
VM.

But that is in the "someday" category of my things to do list. Oh well :-/

comp.lang.c Answers to Frequently Asked Questions (FAQ List)	15	Apr 1, 2006
comp.lang.java.gui FAQ	0	Sep 13, 2006
comp.lang.c Answers to Frequently Asked Questions (FAQ List)	1	Feb 1, 2004
comp.lang.java.gui FAQ	0	Mar 14, 2006
comp.lang.vhdl FAQ part 3 of 4: products & services	0	Jul 8, 2003

escaping attribute values - required in HTML4.01 Strict?

Joshua Beall

Adrienne

Joshua Beall

Mark Parnell

Joshua Beall

Ask a Question

Similar Threads

Members online

Forum statistics

Latest Threads