doctype and IE vulnerability?

Forum Moderators: open

Message Too Old, No Replies

doctype and IE vulnerability?

doctype declarations

rroberts

2:57 am on May 11, 2003 (gmt 0)

I firmly support web standards and accessibility guidelines, hand code my xhtml pages and css, and validate them.

Recently, someone who is a confirmed FrontPage and ASP advocate announced to me in an email that he did not put doctype declarations on his pages because of a "vulnerability" in Internet Explorer. He didn't explain this, and so far I have found no information on the 'net.

I suspect he's full of, umm, stuff, but would like to hear if anyone else has ever heard of this. Links to info appreciated.

thanks
rroberts

SinclairUser

3:50 am on May 11, 2003 (gmt 0)

rroberts,

Don't know if this is what he is talking about - not a security issue but a css rendering engine problem when doctype specified that could "BREAK" your pages.

Another problem for webmasters with IE 6
Of all the changes to IE 6, perhaps the most important for Webmasters is the addition of dual CSS rendering engines. While this new feature helps Internet Explorer comply with the W3C HTML standards, it may also break your existing Web pages.

The full story is here:

[tipsdr.com...]

grahamstewart

4:14 am on May 11, 2003 (gmt 0)

Hmm.. that article has some dodgy information in it.

Using a correct doctype will not 'break' your page. It will cause the page to be laid out properly in accordance with the W3C specifications.

If this messes up your page then..

a) you've not being writing to the standards

b) you are now experiencing what anyone coming to your site with a browser other than IE was seeing.

The correct full doctype for HTML4.01 Strict is

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

all on one line at the very top of the page (above <html>).

See [w3.org...] for the others.

rroberts: AFAIK there are no vulnerabilities caused by specifying a doctype. Sounds like rubbish to me.

tedster

5:13 am on May 11, 2003 (gmt 0)

I agree - no security vulnerabilities that I know of come from a valid DTD. Just embarrasing screens.

But I also have a lot of legacy pages that render well on most browsers and will break if I add a full doctype. Cleaning up that legacy code is just not in the cards. It will probably die only when the client decides they need a full re-design.

Given that the information rroberts received came from a FP/MS afficianado, I'd bet they're in the same boat I am. And it is a very practical issue.

I'd love to have all my client pages validate and begin with a complete DTD. But some of these sites contain years of errors, piled up from stupid WYSIWYG code, obstinate CMS systems and so on. I can't afford to be a purist with these clients, at least not yet.

I am very thankful for quirks mode.

rroberts

8:36 pm on May 13, 2003 (gmt 0)

Thank you SinclairUser, grahamstewart and tedster. I was aware of quirks mode, but the 'full story' link explained it pretty nicely.

So far, I stick with transitional doctypes, which seems to make to the most sense for now, but will re-examine that position. Have been most influenced by this article at A List Apart: [alistapart.com...]

I agree with grahamstewart that the guy's notion is full of rubbish, and this thread confirms it. My opinion: FP is for web design what mustard is for donuts.

thanks to all
rroberts