Hi Padraic,
On Mon, Feb 3, 2014 at 8:06 PM, Pádraic Brady <[email protected]>wrote:
> There are three ways to present an attribute value validly in HTML5:
>
> 1. Double quoted
> 2. Single quoted
> 3. Unquoted.
>
Unquoted is really bad standard with respect to security. I don't
understand why
they allow unquoted attributes, but I think we need to address this some
how.
htmlentities/htmlspecialchars may have ENT_NO_SPACE as an option. If
there is space char, null string is returned. Standard allows space before
attributes. User may write
<tag attr = <?php echo htmlentities($str, ENT_NO_SPACE);?> >
Use of this option is not recommended, but there is the standard. We may
support it even if we don't recommend it.
Regards,
--
Yasuo Ohgaki
[email protected]