Re: HTML draft - clarification of quoted string processing (Marc Andreessen)
Date: Sun, 5 Dec 93 02:31:47 -0800
From: (Marc Andreessen)
Message-id: <>
To: Dave_Raggett <>
Subject: Re: HTML draft - clarification of quoted string processing
In-reply-to: <>
References: <>
Dave_Raggett writes:
> Bryan Cheung writes:
> > I may just be blind, but I don't see a place in the HTML spec which 
> > describes what is supposed to happen to special characters inside quoted
> > strings. Consider an HTML statement such as:
> > <form method=post action="/htbin-post/banner hello > foobar">

Heavily illegal.  The special characters should be encoded, as usual,
as %xx.  (This is because ACTION specifies a URL.)

> >  ...form goes here
> > </form>
> > My question relates to how the i/o redirection character (or any special
> > character) is to be treated when used within quotes inside of a standard
> > HTML directive. Should special characters be completely protected when
> > quoted inside of a directive?? Does it make sense to specify that escapes
> > such as &gt; be used within quoted strings? Where should this go in the
> > spec? (I looked for it, and can't find it - please point me there if I
> > missed it.
> Page 331 of Goldfarb's SGML Handbook says that parsers derive the attribute
> value from the attribute value literal (the stuff between the quote marks)
> by replacing any entity references or character references within the literal
> and then normalising by replacing any contiguous whitespace by a single
> space character. Note you can use " or ' as quote marks for attribute value
> literals.
> Thanks for pointing out this topic - it is rather obscure and clearly needs
> to be included in the HTML+ spec. I can garantee that most browsers are
> currently doing the wrong thing for attributes!

Bleah.  Let's be more restrictive.  An encoding method exists for URLs
anyway; other attributes/values can be limited to reasonable characters.
This keeps things simple.