[Zope] sorry to insist! I'm a feeling that I must dare to write this message: don't allow bad entities ruin the code

Charlie Reiman creiman@kefta.com
Thu, 19 Dec 2002 15:45:45 -0800


> -----Original Message-----
> From: zope-admin@zope.org [mailto:zope-admin@zope.org]On Behalf Of
> Lennart Regebro
> Sent: Thursday, December 19, 2002 3:11 PM
> To: danielle.d-avout; zope@zope.org
> Subject: Re: [Zope] sorry to insist! I'm a feeling that I must dare to
> write this message: don't allow bad entities ruin the code
>
>
> From: "danielle.d-avout" <danielle.d-avout@wanadoo.fr>
> >
> http://www.zope.org/feedback_site_form?whats_up=Register&origin_ur
l=http://w
> > ww.zope.org/Register
> > will work but it is mere luck, it is not W3C compliant
> > it should be for example instead of &origin &amp;origin
>
> Huh? & has always been used to delimit different parameters in a get URL.
> Are you saying that this is incorrect?

Danielle is right, it is incorrect but only in things that need to validate
(HTML, XML). If you are talking in ASCII email, using & alone is just fine
(and using &amp; will probably not work).

To express it a little more clearly: URLs can have '&' in them, it's just
fine. But when an URL occurs as an HTML attribute, like:

<a href="http://blah?foo=baz&blah=yarg">hi</a>

Using a stand alone '&' is incorrect as '&' in an attribute is the signal
for an entity. It really should be '&amp;'

Having said that, I can't imagine any major browser ever enforcing this
requirement in the next 10-15 years. I also wouldn't consider it "just
luck".