惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Google DeepMind News
Google DeepMind News
C
CERT Recently Published Vulnerability Notes
C
Cisco Blogs
Cloudbric
Cloudbric
The Last Watchdog
The Last Watchdog
L
LINUX DO - 热门话题
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Application and Cybersecurity Blog
Application and Cybersecurity Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Security Archives - TechRepublic
Security Archives - TechRepublic
TaoSecurity Blog
TaoSecurity Blog
V2EX - 技术
V2EX - 技术
H
Heimdal Security Blog
S
Security Affairs
L
Lohrmann on Cybersecurity
Hacker News - Newest:
Hacker News - Newest: "LLM"
Simon Willison's Weblog
Simon Willison's Weblog
WordPress大学
WordPress大学
小众软件
小众软件
Security Latest
Security Latest
AWS News Blog
AWS News Blog
Apple Machine Learning Research
Apple Machine Learning Research
GbyAI
GbyAI
Engineering at Meta
Engineering at Meta
阮一峰的网络日志
阮一峰的网络日志
罗磊的独立博客
F
Full Disclosure
S
Schneier on Security
L
LangChain Blog
MyScale Blog
MyScale Blog
Know Your Adversary
Know Your Adversary
P
Privacy International News Feed
Google Online Security Blog
Google Online Security Blog
Scott Helme
Scott Helme
Stack Overflow Blog
Stack Overflow Blog
爱范儿
爱范儿
A
Arctic Wolf
Martin Fowler
Martin Fowler
B
Blog RSS Feed
大猫的无限游戏
大猫的无限游戏
博客园 - 三生石上(FineUI控件)
The Register - Security
The Register - Security
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
博客园_首页
Latest news
Latest news
F
Fortinet All Blogs
G
GRAHAM CLULEY
T
The Exploit Database - CXSecurity.com
Hacker News: Ask HN
Hacker News: Ask HN

Henri Sivonen’s pages

Parin vuoden tutkimattomuus crates.io: Rust Package Registry Asiakirjatonta toimintaa It’s not wrong that "🤦🏼‍♂️".length == 7 Koulutartuntojen tilastointimenettely Perusteasiakirjoja hallussapitämättä ikärajoitettu Asiantuntijat ja nukkuva vallan vahtikoira Koronapassilausunto Suppealla tietopohjalla ohimeneväksi väitetty Text Encoding Menu in 2021 The Text Encoding Submenu Is Gone An HTML5 Conformance Checker Not Part of the Technology Stack Browser Technology Stack Bogo-XML Declaration Returns to Gecko A Look at Encoding Detection and Encoding Menu Telemetry from Firefox 86 Why Supporting Unlabeled UTF-8 in HTML on the Web Would Be Problematic Rust Target Names Aren’t Passed to LLVM Toimintamalli Activating Browser Modes with Doctype Johtopäätöksiä mallin rakenteesta Tehtävänmäärittelyä kirjoittamatta ja kuolemia laskematta laumasuojamallinnettu Character Encoding Menu in 2014 Erillissuosituksen tarpeettomuudesta yleissuosituksen poikkeukseksi? STM:n maskiaikajana Rust 2021 Oma-aloitteisesti mallinnettu Kokopinovaatimuksin kilpailutettu chardetng: A More Compact Character Encoding Detector for the Legacy Web Varauksia paisutellen tiedotettu Perusteasiakirjoitta tiedotettu Always Use UTF-8 & Always Label Your HTML Saying So IME Smoke Testing The Validator.nu HTML Parser About the Hiragino Fonts with CSS It’s Time to Stop Adding New Features for Non-Unicode Execution Encodings in C++ Rust 2020 The Last of the Parsing Quirks About about:blank Rust 2019 a Web-Compatible Character Encoding Library in Rust How I Wrote a Modern C++ Library in Rust Using cargo-fuzz to Transfer Code Review of Simple Safe Code to Complex Code that Uses unsafe A Rust Crate that Also Quacks Like a Modern C++ Library #Rust2018 No Namespaces in JSON, Please A Lecture about HTML5 Julkisesti luotettu varmenne ikidomainille TLS:ää (SSL:ää) varten -webkit-HTML5 The Sad Story of PNG Gamma “Correction” If You Want Software Freedom on Phones, You Should Work on Firefox OS, Custom Hardware and Web App Self-Hostablility HTML5 Parser Improvements ARIA in HTML5 Integration: Document Conformance (Draft, Take Two) Schema.org and Pre-Existing Communities Lowering memory requirements by replacing Schematron HTML5 Parsing in Gecko: A Build Introducing SAX Tree NVDL Support in Validator.nu HOWTO Avoid Being Called a Bozo When Producing XML An Unofficial Q&A about the Discontinuation of the XHTML2 WG Thoughts on HTML5 Becoming a W3C Recommendation Four Finnish Banks Training Users to Give Banking Credentials to Another Site Unimpressed by Leopard Sergeant Semantics The Content Sink Inheritance Diagram – 2006-06-30 What is EME? About Points and Pixels as Units The Performance Cost of the HTML Tree Builder Social Media Impression Management The spacer Element Is Gone Openmind 2006 Performance Mistake XHTML and Mobile Devices WebM-Enabled Browser Usage Share Exceeds H.264-Enabled Browser Usage Share on Desktop (in StatCounter Numbers) HTML5 Parser-Based View Source Syntax Highlighting Vendor Prefixes Are Hurting the Web Accept-Charset Is No More Dualroids Writing Structural Stylable Document in Mozilla Editor ISO-8859-15 on haitallinen Hourglass The Scientific Method According to Hixie Maemo Source Code Karpelan lukkovertaus ontuu Digitaalisesta arkistoinnista ARIA in HTML5 Integration: Document Conformance (Draft) XHTML—What’s the Point? (Draft, incomplete) Mac OS X Browser Comparison HOWTO Spot a Wannabe Web Standards Advocate An Idea About Intermediate Language Trees and Web UI Generation Thoughts on Using SSL/TLS Certificates as the Solution to Phishing Bureaucracy Meets the Web Europe Day HOWTO Establish a 100% Literacy Rate What to Do with All These Photos? Charmod Norm Checking Validator Web Service Interface Ideas DTDs Don’t Work on the Web EFFI’s Day in Court Speaking at XTech
Lists in Attribute Values
Henri Sivonen · 2015-07-14 · via Henri Sivonen’s pages

Recently, I’ve been working on Web Apps 1.0 aka. HTML5 conformance checking. Since Web Forms 2.0 is a relatively stable part of HTML5, I am currently focusing on forms.

The Web Forms 2.0 spec is currently defined as an extension to HTML 4 and DOM. Therefore, even if the specification itself aims for precision, it is sometimes necessary to refer to less precise specifications.

accept-charset

The accept-charset attribute is not defined in Web Forms 2.0. Instead, you have to look it up in HTML 4.01. (At least for now. Hopefully, in the future the Web Apps 1.0 spec will be self-contained.) Here’s what HTML 4.01 says:

accept-charset = charset list [CI]

This attribute specifies the list of character encodings for input data that is accepted by the server processing this form. The value is a space- and/or comma-delimited list of charset values. The client must interpret this list as an exclusive-or list, i.e., the server is able to accept any single character encoding per entity received.

The default value for this attribute is the reserved string "UNKNOWN". User agents may interpret this value as the character encoding that was used to transmit the document containing this FORM element.

In my role as a conformance checker developer I need to scrutinize the specs very carefully so that I can be precise in my implementation in order to avoid endless arguments. (See Why specs matter for further discussion and technical terminology.) “Space- and/or comma-delimited list” may look reasonable on the surface, but what does it mean, exactly? Obviously, the list items can be delimited by either a single space or a single comma. That is reasonably clear. But are multiple spaces allowed? What about multiple commas? Do the spaces have to come first and the commas second? Are spaces and commas before and after the items allowed? At what point should one throw an Undecipherable Specification Error? Does all this even matter if the UA ignores list items that are empty strings?

The frustrating part about this is that allowing the comma is useless. A “charset value” cannot be the empty string and cannot contain a space, a tab, a carriage return or a line feed. There is a convention in SGMLish and XMLish language design that when you have a list of such values in an attribute value, you separate the items with whitespace and allow whitespace before and after.

RELAX NG formalizes this:

split( s )

returns a sequence of strings one for each whitespace delimited token of s; each string in the returned sequence will be non-empty and will not contain any whitespace

and

a whitespace character is one of #x20, #x9, #xD or #xA

The good thing about adhering to a convention is that people can use tools. (You know, tools will save us and all that.) The people who actually read the specifications don’t need to write custom code, and the people who don’t read specifications have a greater chance of doing the right thing by calling code someone else wrote.

The main point I am trying to make here is this:

[Image of a nutshell] If you’re designing a language that has an XML 1.0 serialization and you are defining an attribute that takes the list of values and those values cannot contain whitespace and cannot be the empty string, please use the convention as formalized by RELAX NG and use one or more whitespace characters (where whitespace characters are U+0020, U+0009, U+000D and U+000A) as the item separator and allow zero or more whitespace characters before and after the list.

inputmode

Just for comparison, let’s take a look at another attribute that is specified by reference to another specification. The inputmode attribute is defined as being exactly equivalent to the XForms attribute of the same name.

On the bright side, the token separation is conventional. On the less bright side, the spec is a bit imprecise.

How am I supposed to know which scripts count as bicameral? Where do I find normative text? Not in XForms. Not in UAX #24. Not in UTR #21. Not in section “4.2 Case—Normative” of Unicode 4.0. (Not clearly enough to cover math and whether georgian should be considered bicameral here, that is. And UTR #21 missed Deseret just like I did the first time round.) I figured (from the occurrence of “CAPITAL LETTER” in character names) that armenian, cyrillic, deseret, georgian, greek, latin and math are bicameral. Also, custom scripts and the user script have to be assumed to allow modifiers that apply to bicameral scripts.

Are multiple modifiers allowed? The spec does not say, but I assume the modifiers dealing with case are mutually exclusive and that the modifiers dealing with prediction are mutually exclusive.

Are IRIs allowed as custom scripts? The spec implies so.

Is at least one token required? The spec prose does not say. Let’s look at the schema. It says:

<xsd:attribute name="inputmode" type="xsd:string" use="optional"/>

It’s like reading DTDs all over again. And I thought XSD was all about data typing.

Thanks to XForms following the whitespace-separation convention, the syntax of the inputmode attribute (unlike accept-charset) was expressible in RELAX NG without resorting to a custom datatype.

Are They Useful?

What else do these two attributes have in common besides taking a list as the value? These are probably the two least useful attributes in the Web Forms 2.0 spec. One exists for backwards compatibility. The other exists in order to match feature bullet points with XForms.

An author shouldn’t want the user agent to submit form data in any encoding other than UTF-8. Also, as a user, I don’t want a form author to mess with my text input method in and non-obvious way. If the UA changes the input method, it makes more sense to do it based on the input type (e.g. change from Kanji to Latin for password fields and on phones change to digit input for number fields).