silly HTML

hug wrote:

> Please see my post to Toby; I remain unconvinced because I have read
> the URI Syntax RFC and it appears to agree with my point of view.

The URI Syntax RFC isn't entirely the whole story here, because we're
not dealing with a URI, we're dealing with the HTML representation of a
URI.

A bare "&" is wrong, "&" is correct instead.
 >> Stay informed about: silly HTML 

"Andy Dingley" <dingbat.TakeThisOut@codesmiths.com> wrote:

>hug wrote:
>
>> Please see my post to Toby; I remain unconvinced because I have read
>> the URI Syntax RFC and it appears to agree with my point of view.
>
>The URI Syntax RFC isn't entirely the whole story here, because we're
>not dealing with a URI, we're dealing with the HTML representation of a
>URI.
>
>A bare "&" is wrong, "&" is correct instead.

Understood, Andy.

--
Legacy browsers never heard of emerging standards.
(contact via http://www.ren-prod-inc.com/hug_soft)
 >> Stay informed about: silly HTML 

hug wrote:

> Huh. It seems everyplace where I find ISO 8879 wants you to buy a
> hardcopy manual. Are you aware of a web location where its complete
> text is published?

Few ISO standards are freely available.

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
 >> Stay informed about: silly HTML 

hug wrote:

> Based on this, it remains unclear to me why a "&" character within a
> double-quoted URL should be translated into an html entity.

'&' doesn't need to be escaped within the English language, but if you use
the English language within HTML, then it needs to be escaped.

'&' doesn't need to be escaped within URLs, but if you use URLs within
HTML, then it needs to be escaped.

See?

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
 >> Stay informed about: silly HTML 

hug wrote:

> To me, anything inside a quoted string in a tag has already been
> "escaped" by virtue of being inside the quoted string, so using html
> entity-names for those characters inside a quoted string seems
> "wrong".

Consider this snippet:

<a href="test.php?foo=bar&copy=true">test</a>

In the above example I didn't write the ampersand as &, but merely
as an ampersand character. The browser interprets the URL as being:

/test.php?foo=bar%A9=true

Which is to say, it ends in a © symbol followed by "=true". Obviously
(to a human) this isn't what was intended.

The problem is that if you don't write ampersands as & then if you
accidentally choose a variable name that matches an existing (or
possibly one that /will/ exist in the future) it will be interpreted as
the character that it represents rather than the variable name that you
intended it to be. As in the above example, in HTML, © and &copy
(without the ';') are both interpreted as being the © character.

--
Dylan Parry
http://electricfreedom.org | http://webpageworkshop.co.uk

Programming, n: A pastime similar to banging one's head
against a wall, but with fewer opportunities for reward.
 >> Stay informed about: silly HTML 

Dylan Parry <usenet DeleteThis @dylanparry.com> wrote:

>hug wrote:
>
>> To me, anything inside a quoted string in a tag has already been
>> "escaped" by virtue of being inside the quoted string, so using html
>> entity-names for those characters inside a quoted string seems
>> "wrong".
>
>Consider this snippet:
>
><a href="test.php?foo=bar&copy=true">test</a>
>
>In the above example I didn't write the ampersand as &, but merely
>as an ampersand character. The browser interprets the URL as being:
>
>/test.php?foo=bar%A9=true

Which browser does that, Dylan?

>Which is to say, it ends in a © symbol followed by "=true". Obviously
>(to a human) this isn't what was intended.
>
>The problem is that if you don't write ampersands as & then if you
>accidentally choose a variable name that matches an existing (or
>possibly one that /will/ exist in the future) it will be interpreted as
>the character that it represents rather than the variable name that you
>intended it to be. As in the above example, in HTML, © and &copy
>(without the ';') are both interpreted as being the © character.

I still haven't gotten to digging into the HTML specs on this issue,
but it'll happen.

--
Legacy browsers never heard of emerging standards.
(contact via http://www.ren-prod-inc.com/hug_soft)
 >> Stay informed about: silly HTML 

hug wrote:

>> <a href="test.php?foo=bar&copy=true">test</a>
[...]
>> /test.php?foo=bar%A9=true
>
> Which browser does that, Dylan?

Internet Explorer 6 & 7 (I haven't tested below 6, but I presume they do
too), and Firefox 2 (again, not tested below 2). I presume the same is
true of Opera and Safari.

--
Dylan Parry
http://electricfreedom.org | http://webpageworkshop.co.uk

Programming, n: A pastime similar to banging one's head
against a wall, but with fewer opportunities for reward.
 >> Stay informed about: silly HTML 

Dylan Parry <usenet.DeleteThis@dylanparry.com> wrote:

>hug wrote:
>
>>> <a href="test.php?foo=bar&copy=true">test</a>
>[...]
>>> /test.php?foo=bar%A9=true
>>
>> Which browser does that, Dylan?
>
>Internet Explorer 6 & 7 (I haven't tested below 6, but I presume they do
>too), and Firefox 2 (again, not tested below 2). I presume the same is
>true of Opera and Safari.

It seems this is something recent. I use IE 5.5, Netscape 4.7, Opera
6.05 and 9.02, and Firefox, and I haven't had problems with any of
them. [There's no way I'll download IE 6 & 7 because of their system
requirements.] Thanks Dylan.

--
Legacy browsers never heard of emerging standards.
(contact via http://www.ren-prod-inc.com/hug_soft)
 >> Stay informed about: silly HTML 

hug wrote:
> Dylan Parry <usenet.DeleteThis@dylanparry.com> wrote:
>
>> hug wrote:
>>
>>>> <a href="test.php?foo=bar&copy=true">test</a>
>> [...]
>>>> /test.php?foo=bar%A9=true
>>>
>>> Which browser does that, Dylan?
>>
>> Internet Explorer 6 & 7 (I haven't tested below 6, but I presume
>> they do too), and Firefox 2 (again, not tested below 2). I presume
>> the same is true of Opera and Safari.
>
> It seems this is something recent. I use IE 5.5, Netscape 4.7, Opera
> 6.05 and 9.02, and Firefox, and I haven't had problems with any of
> them.

Hard to believe. Opera 9.00 does this, why shouldn't 9.02....
--
Rik Wasmus
 >> Stay informed about: silly HTML 

"Rik" <luiheidsgoeroe.RemoveThis@hotmail.com> wrote:

>hug wrote:
>> Dylan Parry <usenet.RemoveThis@dylanparry.com> wrote:
>>
>>> hug wrote:
>>>
>>>>> <a href="test.php?foo=bar&copy=true">test</a>
>>> [...]
>>>>> /test.php?foo=bar%A9=true
>>>>
>>>> Which browser does that, Dylan?
>>>
>>> Internet Explorer 6 & 7 (I haven't tested below 6, but I presume
>>> they do too), and Firefox 2 (again, not tested below 2). I presume
>>> the same is true of Opera and Safari.
>>
>> It seems this is something recent. I use IE 5.5, Netscape 4.7, Opera
>> 6.05 and 9.02, and Firefox, and I haven't had problems with any of
>> them.
>
>Hard to believe. Opera 9.00 does this, why shouldn't 9.02....

Dunno, Rik. I used Opera 6.05 for a long time, only upgraded to the
newer Opera fairly recently... I don't recall whether the first I
installed was 9.00 or 9.01, but I lost a hard-drive and ended up using
9.02.

In 9.02 what I see is this (in view/source):

<a
href="http://www.ren-prod-inc.com/maint/test_site/store.php?action=122&id=1BMJEP0AM,1BMJFAL4N">

I do not see any ampersands being translated to copyright characters
or to anything else because they were not coded as &. It's
possible that I've misunderstood what Dylan was saying. But if
browsers were going around changing ampersands into copyright symbols
it would have become pretty obvious that something was wrong because
the ampersands are necesssary for things to work.

If I change the code to generate & instead of just an ampersand,
view/source shows it as & which looks kind of funny but it works
the same both ways as far as I can see. Maybe I'm looking at the
wrong thing and the whole deal is some kind of misunderstanding.
People (some of whom I know from the past to be pretty sensible folks)
seem to be telling me one thing, and browsers seem to be telling me
another thing. <shrug>

--
Legacy browsers never heard of emerging standards.
(contact via http://www.ren-prod-inc.com/hug_soft)
 >> Stay informed about: silly HTML 

hug wrote:
> "Rik" <luiheidsgoeroe.TakeThisOut@hotmail.com> wrote:
>
> >hug wrote:
> >> Dylan Parry <usenet.TakeThisOut@dylanparry.com> wrote:
> >>
> >>> hug wrote:
> >>>
> >>>>> <a href="test.php?foo=bar&copy=true">test</a>
> >>> [...]
> >>>>> /test.php?foo=bar%A9=true
> >>>>
> >>>> Which browser does that, Dylan?
> >>>
> >>> Internet Explorer 6 & 7 (I haven't tested below 6, but I presume
> >>> they do too), and Firefox 2 (again, not tested below 2). I presume
> >>> the same is true of Opera and Safari.
> >>
> >> It seems this is something recent. I use IE 5.5, Netscape 4.7, Opera
> >> 6.05 and 9.02, and Firefox, and I haven't had problems with any of
> >> them.
> >
> >Hard to believe. Opera 9.00 does this, why shouldn't 9.02....
>
> Dunno, Rik. I used Opera 6.05 for a long time, only upgraded to the
> newer Opera fairly recently... I don't recall whether the first I
> installed was 9.00 or 9.01, but I lost a hard-drive and ended up using
> 9.02.
>
> In 9.02 what I see is this (in view/source):
>
> <a
> href="http://www.ren-prod-inc.com/maint/test_site/store.php?action=122&id=1BMJEP0AM,1BMJFAL4N">
>
> I do not see any ampersands being translated to copyright characters
> or to anything else because they were not coded as &. It's
> possible that I've misunderstood what Dylan was saying. But if
> browsers were going around changing ampersands into copyright symbols
> it would have become pretty obvious that something was wrong because
> the ampersands are necesssary for things to work.
>
> If I change the code to generate & instead of just an ampersand,
> view/source shows it as & which looks kind of funny but it works
> the same both ways as far as I can see. Maybe I'm looking at the
> wrong thing and the whole deal is some kind of misunderstanding.
> People (some of whom I know from the past to be pretty sensible folks)
> seem to be telling me one thing, and browsers seem to be telling me
> another thing. <shrug>
>
Hmmm, yes that may seam to be the case. What you need to take in to
consideration is error correction (done by most common browsers (on
Windows OS's, this might not be the case on other platforms such as
Mobile devices and PDA's (they might not be as forgiving). It might not
even be the case on those same browsers you tested on useing them on a
nother OS, such as FireFox on Linux.
By the way, how does my site perform on IE 5.5 and Netscape 4.exe.
(just curious) it's not like i'll bother to support netscrape 4.
--
Regards Chad. http://freewebdesign.cjb.cc
 >> Stay informed about: silly HTML 

hug wrote:

> <a
> href="http://www.ren-prod-inc.com/maint/test_site/store.php?action=122&id=1BMJEP0AM,1BMJFAL4N">
>
> I do not see any ampersands being translated to copyright characters
> or to anything else because they were not coded as &. It's
> possible that I've misunderstood what Dylan was saying.

It's certain you have misunderstood.

Dylan was talking about the case of a link like:

<a href="http://example.org/script.php?original=foo.txt&copy=bar.txt"
>Check if <tt>foo.txt</tt> and <tt>bar.txt</tt> are identical.</a>

"&copy" is interpreted here as '©', so the browser offers the following
link:

http://example.org/script.php?original=foo.txt©=bar.txt

And the PHP script will receive:

<?php
echo $_GET['original'];
// prints "foo.txt©=bar.txt".
?>

In your case, the link contains '&id' instead of '&copy'. Whereas '&copy'
has a special meaning (the copyright symbol), '&id' has no special meaning
and is an error condition. When a browser hits an error condition in HTML
(not XHTML) mode, it tends to do its best to guess what the author meant,
and most current browsers will guess that you meant '&id'.

However, say a future version of HTML assigned a special meaning to '&id'.
For example, it could represent the mathematical symbol for "identical to"
(Unicode U+02261, which looks like an equals sign with three bars
instead of two), then your link becomes:

http://www.ren-prod-inc.com/maint/test_site/store.php (wrap...)
?action=122≡=1BMJEP0AM,1BMJFAL4N

So your PHP script gets:

<?php
echo $_GET['action'];
// prints "122≡=1BMJEP0AM,1BMJFAL4N"
?>

Would your script be able to cope with that?

The solution (in PHP) is the htmlentities() function, which encodes the
following potentially non-safe characters: <>"'&

You could use it as follows:

<?php
print '<a href="'.htmlentities($url).'">'.htmlentities($title).'</a>';
?>

Though I find it neater to use the C-style printf() function:

<?php
printf('<a href="%s">%s</a>',
htmlentities($url),
htmlentities($title));
?>

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
 >> Stay informed about: silly HTML 

Toby Inkster <usenet200611.RemoveThis@tobyinkster.co.uk> wrote:

>hug wrote:
>
>> <a
>> href="http://www.ren-prod-inc.com/maint/test_site/store.php?action=122&id=1BMJEP0AM,1BMJFAL4N">
>>
>> I do not see any ampersands being translated to copyright characters
>> or to anything else because they were not coded as &. It's
>> possible that I've misunderstood what Dylan was saying.
>
>It's certain you have misunderstood.
>
>Dylan was talking about the case of a link like:
>
> <a href="http://example.org/script.php?original=foo.txt&copy=bar.txt"
> >Check if <tt>foo.txt</tt> and <tt>bar.txt</tt> are identical.</a>
>
>"&copy" is interpreted here as '©', so the browser offers the following
>link:
>
> http://example.org/script.php?original=foo.txt©=bar.txt
>
>And the PHP script will receive:
>
> <?php
> echo $_GET['original'];
> // prints "foo.txt©=bar.txt".
> ?>
>
>In your case, the link contains '&id' instead of '&copy'. Whereas '&copy'
>has a special meaning (the copyright symbol), '&id' has no special meaning
>and is an error condition. When a browser hits an error condition in HTML
>(not XHTML) mode, it tends to do its best to guess what the author meant,
>and most current browsers will guess that you meant '&id'.

Ah, now I understand! Thanks for the explanation, Toby.

>However, say a future version of HTML assigned a special meaning to '&id'.
>For example, it could represent the mathematical symbol for "identical to"
>(Unicode U+02261, which looks like an equals sign with three bars
>instead of two), then your link becomes:
>
> http://www.ren-prod-inc.com/maint/test_site/store.php (wrap...)
> ?action=122?=1BMJEP0AM,1BMJFAL4N
>
>So your PHP script gets:
>
> <?php
> echo $_GET['action'];
> // prints "122?=1BMJEP0AM,1BMJFAL4N"
> ?>
>
>Would your script be able to cope with that?

In 5 minutes it could be using "&parms=" or anything else instead of
"&id=".

>The solution (in PHP) is the htmlentities() function, which encodes the
>following potentially non-safe characters: <>"'&
>
>You could use it as follows:
>
> <?php
> print '<a href="'.htmlentities($url).'">'.htmlentities($title).'</a>';
> ?>
>
>Though I find it neater to use the C-style printf() function:
>
> <?php
> printf('<a href="%s">%s</a>',
> htmlentities($url),
> htmlentities($title));
> ?>

I have so much stuff going on here that I still haven't rounded up the
current html RFC. If you or anyone else would care to post a link,
that would be most helpful. Otherwise I'll get around to it in a day
or two.

Pragmatically speaking, it might be best for me to just begin using a
parameter name that is disallowed as an html entity-name. But any way
you look at it, it's not a big deal, it's just a matter of deciding
what I think is the most solid way of handling it. At the moment it's
a non-issue since as you mentioned &id is not a defined html entity
name.

--
Legacy browsers never heard of emerging standards.
(contact via http://www.ren-prod-inc.com/hug_soft)
 >> Stay informed about: silly HTML