[Templates] template-toolkit and GD

Randal L. Schwartz merlyn@stonehenge.com
06 Nov 2002 11:27:42 -0800 

>>>>> "Matthew" == Matthew Pressly <mpressly@claborn.net> writes:

Matthew> Can you elaborate on this?  Should query parameters always
Matthew> be separated by '&amp;' or ';' rather than '&'?

Yes.

Matthew> Should 
Matthew> <img src="http://a.b.c/d?e=1&f=2&g=3">
Matthew> <a href="http://a.b.c/d?e=1&f=2&g=3">misc</a>
Matthew> <form action="http://a.b.c/d?e=1&f=2&g=3">...</form>

Matthew> be changed to
Matthew> <img src="http://a.b.c/d?e=1&amp;f=2&amp;g=3">
Matthew> <a href="http://a.b.c/d?e=1&amp;f=2&amp;g=3">misc</a>
Matthew> <form action="http://a.b.c/d?e=1&amp;f=2&amp;g=3">...</form>

Yes.

Matthew> Do you also have any references on this?  So far I have found this:

Matthew> http://www.w3.org/TR/1998/REC-html40-19980424/appendix/notes.html#h-B.2.2

Yes, that's one authority.  And there are no contradicting authorities.
There's only the constantly-invoked error correcting code in the browsers.
Try changing one of your parameters to "amp", and see how broken it gets. :)

HTML content and HTML tag parameters must all be HTML-entitized.
Always.  If you want to send "&" to the server on clicking a link, it
MUST be encoded as "&amp;" in the tag parameter.  Anything else is wrong.

-- 
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!