«

Hi,

I am using a javascript tool to allow clients to edit content boxes on their
sites (http://www.interactivetools.com/products/htmlarea/). However, I
noticed that it does not escape attribute values, even when you copy paste a
bit of code. For instance, if you copy paste a section <p
class="paraTitle">Lorem ipsum</p>, then view the source, it winds up <p
class=paraTitle>Lorem Ipsum</p>

My question is, how concerned should I be by this? IE6 and Mozilla 1.5/1.6
both seem to handle it fine. Are there browsers that are going to choke on
this?

-Josh

Gazing into my crystal ball I observed "Joshua Beall"
<> writing in
news:4sYfc.836$:

> Hi,
>
> I am using a javascript tool to allow clients to edit content boxes on
> their sites (http://www.interactivetools.com/products/htmlarea/).
> However, I noticed that it does not escape attribute values, even when
> you copy paste a bit of code. For instance, if you copy paste a
> section <p class="paraTitle">Lorem ipsum</p>, then view the source, it
> winds up <p class=paraTitle>Lorem Ipsum</p>
>
> My question is, how concerned should I be by this? IE6 and Mozilla
> 1.5/1.6 both seem to handle it fine. Are there browsers that are going
> to choke on this?
>
> -Josh
>
>
>

Opera cannot use it at all. It can use the text area as a plain text area,
but it does not render the menu bar or the styled text.

--
Adrienne Boswell
Please respond to the group so others can share
http://www.arbpen.com

"Adrienne" <> wrote in message
news:Xns94CF6BB5940AEarbpenyahoocom@207.115.63.158 ...
> Opera cannot use it at all. It can use the text area as a plain text
area,
> but it does not render the menu bar or the styled text.

If I understand what you are saying, Opera cannot render the editor. This
is not what I was asking.

I want to know if having unescaped parameters (e.g., <p class="paraTitle">)
is going to cause problems.

?

On Sun, 18 Apr 2004 21:06:17 GMT, "Joshua Beall"
<> declared in alt.html:

> I want to know if having unescaped parameters (e.g., <p class="paraTitle">)
> is going to cause problems.

I assume you mean unquoted, not unescaped.

In HTML, attributes don't have to be quoted as long as they only contain
letters, numbers, and a couple of other characters.
http://www.w3.org/TR/html4/intro/sgm...dx-attribute-6
In XHTML, all attributes are required to be quoted.
http://www.w3.org/TR/xhtml1/#h-4.4

I would say you need to escape the quotes in your Javascript (e.g. <p
class=/"paraTitle/"> so that they make it through to the output.

--
Mark Parnell
http://www.clarkecomputers.com.au

"Mark Parnell" <> wrote in message
news:83iy9cymvy40$.1fs5c8w5reehe$... .
> On Sun, 18 Apr 2004 21:06:17 GMT, "Joshua Beall"
> <> declared in alt.html:
>
> > I want to know if having unescaped parameters (e.g., <p
class="paraTitle">)
> > is going to cause problems.
>
> I assume you mean unquoted, not unescaped.

Yeah, apparently my fingers work faster than my brain. I meant unquoted.

> In HTML, attributes don't have to be quoted as long as they only contain
> letters, numbers, and a couple of other characters.
> http://www.w3.org/TR/html4/intro/sgm...dx-attribute-6
> In XHTML, all attributes are required to be quoted.
> http://www.w3.org/TR/xhtml1/#h-4.4
>
> I would say you need to escape the quotes in your Javascript (e.g. <p
> class=/"paraTitle/"> so that they make it through to the output.

I did not actual write the script I am using; I would actually like to
rewrite it in Java, but I am not sure when I will have time for that. But I
would much rather be dependent on the user having a VM (that runs on any
platform), than being dependent on IE6 (which runs only on *that*
platform...), which is the current situation. And even a cross-browser JS
script is going to be shaky, since it has to account for different browsers.
By running on a VM, I only need a browser that can pass off applets to the
VM.

But that is in the "someday" category of my things to do list. Oh well :-/