XHTML vs. HTML4 and csrf middleware in particular
Michael Radziej
I have to start with a little background.
There's the still interesting issue of what media type you give
to your pages and whether to use html4 or xhtml. Large part of
Django seems to use xhtml, and I like it somehow better than
html, so I use it and give to browsers that accept it
application/xhtml+xml as media type (and to others I feed the
same input but call it text/html).
Now, when I use the great csrf middleware from contrib, it
outputs this error message when it deduces that there's an csrf
attack, and without any template around it:
<h1>403 Forbidden</h1><p>Cross Site Request Forgery detected.
Request aborted.</p>
If you try this with a firefox and media type
application/xhtml+xml, you only get a message that the server has
given us incorrect xhtml. And right so. So I changed it to:
<html xmlns="http://www.w3.org/1999/xhtml"
xml:lang="en"><body><h1>403 Forbidden</h1><p>Cross Site Request
Forgery detected. Request aborted.</p></body></html>
Now to my question:
What is the current policy? Should this output be xhtml conform
or not?
The point is, and that goes above the csrf message, I don't know
if it's a good idea or not to use xhtml at all. You need to call
it text/html for IE6 and before, but to get any benefit from xml
(i.e., to see your errors immediately and get a more rigid
interpretation from the browser), you need to call it
application/xhtml+xml at least to the browser that understand it.
But then you get interesting effects on stylesheets and
JavaScript: stylesheets are also interpreted a little bit
differently (e.g., case matters with xhtml but not with html;
java script is expected to use the namespace stuff) I have this
under control for myself, but I really don't know if it's a good
idea to propose xhtml in general.
Michael
Antonio Cavedoni
On 17 Oct 2006, at 12:00, Michael Radziej wrote:
> Large part of Django seems to use xhtml, and I like it somehow
> better than html, so I use it and give to browsers that accept it
> application/xhtml+xml as media type (and to others I feed the same
> input but call it text/html).
this is slightly orthogonal to your question, but bear in mind that
when served as application/xhtml+xml the page is parsed differently
from the browser. For example, Javascript requires namespace-aware
methods for DOM manipulation on application/xhtml+xml documents, so
your scripts will likely break from one version to the other. This is
not the only problem, many others have been outlined in these two
articles that I strongly advice you to read:
http://hixie.ch/advocacy/xhtml
http://webkit.org/blog/?p=68
Since you stated you’re serving the same content with different MIME
types, you may be on a slippery slope there.
HTH,
--
Antonio
Michael Radziej
> Hi Michael,
>
> On 17 Oct 2006, at 12:00, Michael Radziej wrote:
>> Large part of Django seems to use xhtml, and I like it somehow
>> better than html, so I use it and give to browsers that accept it
>> application/xhtml+xml as media type (and to others I feed the same
>> input but call it text/html).
>
> this is slightly orthogonal to your question, but bear in mind that
> when served as application/xhtml+xml the page is parsed differently
> from the browser.
Antonio, you're probably suffering from a severe
read-only-first-paragraph syndrome here. Proposed cure is to read
email again until bottom hits ;-)
Michael
James Bennett
> What is the current policy? Should this output be xhtml conform
> or not?
Policy for Django? There isn't one, so far as I know. Policy for the
web in general? Good luck with that :)
> The point is, and that goes above the csrf message, I don't know
> if it's a good idea or not to use xhtml at all. You need to call
> it text/html for IE6 and before, but to get any benefit from xml
> (i.e., to see your errors immediately and get a more rigid
> interpretation from the browser), you need to call it
> application/xhtml+xml at least to the browser that understand it.
> But then you get interesting effects on stylesheets and
> JavaScript: stylesheets are also interpreted a little bit
> differently (e.g., case matters with xhtml but not with html;
> java script is expected to use the namespace stuff) I have this
> under control for myself, but I really don't know if it's a good
> idea to propose xhtml in general.
I think XHTML is fine, so long as it's in the hands of someone who
really knows how to use it. There aren't a whole lot of people like
that, though, so I don't think XHTML is appropriate in most of the
cases where it's used. Of course, I may be accused of bias :)
--
"May the forces of evil become confused on the way to your house."
-- George Carlin
Antonio Cavedoni
> Antonio, you're probably suffering from a severe read-only-first-
> paragraph syndrome here. Proposed cure is to read email again until
> bottom hits ;-)
Michael: you’re right, I’m a moron :-)
Sorry for wasting everyone’s time.
Cheers.
--
Antonio