Forum Moderators: coopster
This is the specific block of code, though I imagine any escaped PHP falls under this bug/error:
<?php if ($var > 1) {?>
<form method="post" action="<?php echo $_SERVER['PHP_SELF']?>">
<p>
<label for="correction">Correction:</label><br />
<textarea id="correction" name="correction"></textarea>
</p>
<?php }?>
If I try to validate that code, I will get an XHTML compliant page. So let's try it without escaping the PHP:
<form method="post" action="<?php echo $_SERVER['PHP_SELF']?>">
<p>
<label for="correction">Correction:</label><br />
<textarea id="correction" name="correction"></textarea>
</p>
</form>
With that code, the validator gives me the following errors, as it should:
Line 148, column 51: required attribute "rows" not specified
Line 148, column 51: required attribute "cols" not specified
Why does the validator parse escaped PHP like this? More importantly, how, if it cannot actually view the PHP, being server side as it is?
Furthermore, which validation is technically correct? Should I copy paste my dynamically generated pages via view-source, then validate them that way?
You need the rows and cols attributes in your textarea for your page to be valid xhtml.
You are not trying to validate PHP are you? If you type in the URL of your page in the validator it will never see the PHP. That would be the same as copy/paste via view-source.
From what I can tell the validator inst setting $var, which leads to generation of HTML that doesnt include the badly formatted textfield input element, so it validates.
It can NOT tell the difference between escaped or un-escaped data, never. It will only see HTML, but it should be formatted well.
