Thought I would share this.  The CMS that I'm using for a blog puts the 
title of an item inside a title="" attribute that appears in various links. 
This is done with a variable of course.  All is fine until the title of an 
item has something in quotes.  Of course the first " that appears signals 
the end of the title attribute, so anything after that is interpreted as 
code within the <a> tag.

The browsers that I've tried seem to cope with this OK so long as all that 
follows is ordinary text (though of course the text that appears is 
truncated at the first ").  But I can imagine a technical blog where the 
content of the variable could itself have some HTML code - that could be a 
bit funny.

-- 
Tony W
My e-mail address has no hyphen
- but please don't use it, reply to the group.

"Tony"  writes:

> Thought I would share this.  The CMS that I'm using for a blog puts the 
> title of an item inside a title="" attribute that appears in various links. 
> This is done with a variable of course.  All is fine until the title of an 
> item has something in quotes.  Of course the first " that appears signals 
> the end of the title attribute, so anything after that is interpreted as 
> code within the <a> tag.

That's a sort of programming 101 error (though of course it may be bug
somewhere else defeating the intent to do it correctly).

> The browsers that I've tried seem to cope with this OK so long as all that 
> follows is ordinary text (though of course the text that appears is 
> truncated at the first ").  But I can imagine a technical blog where the 
> content of the variable could itself have some HTML code - that could be a 
> bit funny.

The trouble with things like this is they make you think "what else is
going on?".

-- 
Ben.

"Ben Bacarisse"  wrote in message 
news:87hc9ect6d.fsf@bsb.me.uk...
>
> That's a sort of programming 101 error

Wassat?  I googled 101 error and got a load of stuff that I didn't 
understand.

-- 
Tony W
My e-mail address has no hyphen
- but please don't use it, reply to the group.

>> That's a sort of programming 101 error
>
> Wassat?  I googled 101 error and got a load of stuff that I didn't 
> understand.

That's a sort of Googling 101 error.

In message <nbirk.46183$E41.34131@text.news.virginmedia.com>, Tony 
 writes
>"Ben Bacarisse"  wrote in message
>news:87hc9ect6d.fsf@bsb.me.uk...
>>
>> That's a sort of programming 101 error
>
>Wassat?  I googled 101 error and got a load of stuff that I didn't
>understand.
>

I believe our friends over the pond often refer to the first module of a 
course as 101. So Programming 101 would be a basic introduction to 
programming. So I think Ben was implying it was a very basic error - 
which it is. Data should always be verified / cleaned up by the program 
before being used.
-- 
Dominic Sexton

At 18:09:23 on Thu, 21 Aug 2008, Tony  wrote in 
<nbirk.46183$E41.34131@text.news.virginmedia.com>:

>"Ben Bacarisse"  wrote in message
>news:87hc9ect6d.fsf@bsb.me.uk...
>>
>> That's a sort of programming 101 error
>
>Wassat?  I googled 101 error and got a load of stuff that I didn't
>understand.

Think "(programming 101) error", rather than "programming (101 error)".

It's rather similar to when several relay teams with strong Olympic 
medal prospects nevertheless seem never to have learned how to pass the 
baton properly...
-- 
Molly Mockford
They that can give up essential liberty to obtain a little temporary safety
deserve neither liberty nor safety - Benjamin Franklin
(My Reply-To address *is* valid, though may not remain so for ever.)

"Molly Mockford"  wrote in message 
news:e5CxHB8SqbrIFwyQ@molly.mockford...

> It's rather similar to when several relay teams with strong Olympic medal 
> prospects nevertheless seem never to have learned how to pass the baton 
> properly...

What are they saving the numbers up to 100 for?  Pre-school?  Anyway, sorry. 
I obviously missed lesson 1, or 101, or (for programmers) 0.

-- 
Tony W
My e-mail address has no hyphen
- but please don't use it, reply to the group.

In uk.net.web.authoring message <u6frk.46067$E41.23208@text.news.virginm
edia.com>, Thu, 21 Aug 2008 14:39:22, Tony 
posted:
>Thought I would share this.  The CMS that I'm using for a blog puts the
>title of an item inside a title="" attribute that appears in various links.
>This is done with a variable of course.  All is fine until the title of an
>item has something in quotes.  Of course the first " that appears signals
>the end of the title attribute, so anything after that is interpreted as
>code within the <a> tag.

If that is needed, use   title = 'rhubarb "and" custard'  or write the
internal " as " - if necessary, get software to make the conversion.
If the title is generated by JavaScript, you can escape the inner " with
\ or use " or \x22 or \u0022 (untested).

It's a good idea to read the newsgroup c.l.j and its FAQ.  See below.

-- 
 (c) John Stockton, nr London UK.   ?@merlyn.demon.co.uk     IE7 FF2 Op9 Sf3
 news:comp.lang.javascript FAQ <URL:http://www.jibbering.com/faq/index.html>.
 <URL:http://www.merlyn.demon.co.uk/js-index.htm> jscr maths, dates, sources.
 <URL:http://www.merlyn.demon.co.uk/> TP/BP/Delphi/jscr/&c, FAQ items, links.

On Thu, 21 Aug 2008 21:41:31 GMT, Tony put finger to keyboard and
typed:

>"Molly Mockford"  wrote in message 
>news:e5CxHB8SqbrIFwyQ@molly.mockford...
>
>> It's rather similar to when several relay teams with strong Olympic medal 
>> prospects nevertheless seem never to have learned how to pass the baton 
>> properly...
>
>What are they saving the numbers up to 100 for?  Pre-school?  Anyway, sorry. 
>I obviously missed lesson 1, or 101, or (for programmers) 0.

They're not sequential like that. It's a compound string consisting of
two sets of digits. The first digit is the course level (1 = entry),
and the second two digits are the module (starting at 01, then going
02, 03, etc for as many modules as there are in the course). So 101 is
the first module of an entry level course.

Mark

"Dr J R Stockton"  wrote in message
news:OhkqZrVMZcrIFwgs@invalid.uk.co.demon.merlyn.invalid...

> If that is needed, use   title = 'rhubarb "and" custard'  or write the
> internal " as " - if necessary, get software to make the conversion.
> If the title is generated by JavaScript, you can escape the inner " with
> \ or use " or \x22 or \u0022 (untested).

Sure.  The problem is that putting the title entered by the user into a
variable etc. is done in the "core" of the CMS that is not supposed to be
altered, as any changes are likely to be broken by upgrades.  Also the code
is rather opaque to someone like me who is not experienced in PHP as there
are loads of modules, many of which interact, so there would be a danger of
unintended consequences.

If I am entering the title of an item myself I know how to deal with it now,
but I am not the blog user, just the person who installed and customised the
CMS.   Users should not have to think about things like that.  For my own
purposes I can get round it (1) by instructing the user to stick to single
quotes and (2) by altering the title attribute so it says something like
"Read this item" instead of including the actual item title.  This is not 
part of the CMS core.
-- 
Tony W
My e-mail address has no hyphen
- but please don't use it, reply to the group.

On 22/8/08 7:06 am, in article
5mlsa4d95471tdqo3t4uj32itnb3f8djf7@news.markshouse.net, "Mark Goodge"
 wrote:

> On Thu, 21 Aug 2008 21:41:31 GMT, Tony put finger to keyboard and
> typed:
> 
>> "Molly Mockford"  wrote in message
>> news:e5CxHB8SqbrIFwyQ@molly.mockford...
>> 
>>> It's rather similar to when several relay teams with strong Olympic medal
>>> prospects nevertheless seem never to have learned how to pass the baton
>>> properly...
>> 
>> What are they saving the numbers up to 100 for?  Pre-school?  Anyway, sorry.
>> I obviously missed lesson 1, or 101, or (for programmers) 0.
> 
> They're not sequential like that. It's a compound string consisting of
> two sets of digits. The first digit is the course level (1 = entry),
> and the second two digits are the module (starting at 01, then going
> 02, 03, etc for as many modules as there are in the course). So 101 is
> the first module of an entry level course.

I'd call it an 'under 5s' error, meaning that it was really basic.  101, of
course is also 5 in binary.

:)

A