Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

When generating output for a browser what you're really doing is writing an HTML serializer. Kind of tricky to do right by concatenating a bunch of strings together. Some template systems (such as Genshi for Python) actually parse the template as HTML or XML so they understand how to encode all of your outputs correctly for their context.


Indeed, if you're generating the HTML/XML stream as tokens instead of as plain text, the context-sensitive quoting can be done automatically.

When I do have to generate HTML as text I usually go with escaping &<>"' and I double quote all attribute values. Isn't this best practice?

Is there anyone using 's or (eek) unquoted HTML attributes at all?


We use unquoted attributes at Google sometimes. It's for bandwidth/latency-saving reasons. They're usually limited to literal template text (i.e. class names, width/height attributes, etc.) and not user-generated text.


I use single-quoted attributes on a regular basis when editing XML (and HTML, which I edit as XML) documents by hand, mainly because it conserves a noticeable amount of Shift keying on the US keyboard layout. If necessary I mechanically translate them into double quotes ex post facto, but I don't bother if I can assume a style of parser that will handle the single quotes.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: