The HTML Living Standard - Book Review

Extensibility:

The class attribute can extend elements to effectively create new ones. (mentions microformats here)

Can freely use data-* attributes without any worry that the browser will mess with them (or be thrown off by them) since they get ignored at the browser level. Great way to allow scripts to include data on HTML elements that can then be looked for by the same or other scripts

Can use <meta name="" content=""> to add page wide metadata (I've never used this for anything, but it's an interesting idea to think about assuming scripts can access it)

Can use the rel="" format to work with other link types (microformats is mentioned here too)

Can use <script type=""> to embed custom kinds of scripts

APIs can be extended with JavaScript's prototyping mechanisms (widely used in script libraries)

Can use itemscope and itemprop to embed nested name-value pairs (I'd never heard of this one)

Can make custom elements (e.g. web components) that use a - in the name that won't conflict with future versions of HTML, SVG, or MathML because they won't ever add a standard element with a - in the name

HTML v XML

The in-memory representation of a pages resources are know as the "DOM HTML" or just "the DOM" for short

There are two concrete syntaxes for DOMs in this spec: HTML and XML.

HTML is recommended for most cases.

Anything sent with a text/html MIME type will be treated as HTML

The XML MIME type is application/xhtml+xml. Anything sent with that MIME type is parsed by an XML processor.

Biggest thing to remember is that minor syntax errors will prevent an XML doc from rendering while the same type of errors are ignored in HTML and the page generally can render regardless.

Not everything that can be represented in HTML can be represented in the DOM or XML. E.g. namespaces can be defined in the DOM and XML, but not HTML. noscript stuff can be represented in HTML but not in the DOM or XML. Comments with the string --> can be added to the DOM but not HTML.

Document Structure And Conventions

Lays out the structure of the document and how type is used to identify things

Quick Intro

HTML docs consist of a tree or elements and text. Elements generally have start and end tags (e.g. <p> and </p>) though they can sometimes be omitted.

Tags are always nested without overlapping.

For example, this is valid

<strong><em>text</em></strong>

While this is not:

<strong><em>text</strong></em>

There's a standard set of HTML elements.

Elements can have attributes that effect how they work.

Attributes go inside the start tag and generally consist of a name and value.

Attribute values are generally quoted but can be used without quotes as long as there is no whitespace or other conflicting character (i.e. double quote, single quote, backtick, equal sign, greater than, or less than)

Attributes don't have to have a value (e.g. disabled)

The HTML is parsed and turned into a DOM tree (which is an in memory representation of the document.

DOM trees contain several types of nodes. (e.g. DocumentType, Element, Text, Comment, ProcessingInstruction)

The "document element" of HTML documents is the html element itself.

There tend to be more Text nodes that you'd initially expect because spaces and newlines all end up making Text nodes between other element tags.

Exceptions are any whitespace before the <head> start tag is silently dropped. And, all whitespace after the </body> end tag gets placed at the end of the body instead.

DOM trees can be manipulated from scripts on the page.

Scripts can be embedded using <script> tags or with "event handler content attributes" (which we'll see later)

Most of the time this document will refer to DOM trees instead of directly about the markup since DOM trees are what's used by browsers.

HTML docs can be rendered on screen, through a speech synthesizer, a braille reader, etc.... CSS can be used to affect how the various renderings take place

Love this line: "the novice author is cautioned that this specification, by necessity, defines the language with a level of detail that might be difficult to understand at first."

Writing Secure Apps With HTML

This document can't fully cover security. Authors are encouraged to seek out and study possible security issues in detail.

A few of the common pitfalls to watch out for:

The security model is based on the concept of "origins" and many attacks come from cross-origin actions. Problems can include

Not validating user input, cross site scripting (XSS), SQL injection.

You should make sure to do things like safelist things like attributes if you accept tags.

Make sure you don't accept URLs with javascript: protocol.

Allowing a base element to be inserted in a document means any script elements with relative links can be hijacked. Same goes for forms.

Study up on Cross-Site Request Forgery (CSRF)

Study up on Clickjacking. Part of which states:

"sites that do not expect to be used in frames are encouraged to only enable their interface if they detect that they are not in a frame (e.g. by comparing the window object to the value of the top attribute)

Common Scripting Pitfalls

Scripts in HTML are "run-to-completion". That is, the browser will usually run the script uninterrupted before doing something else (e.g. firing other events or continuing to parse the document)

HTML parsing is different. It's incremental. Meaning the parser can pause at any point to let scripts run. That means one thing to watch out for is to avoid adding event handlers after the event could have fired.

Two techniques for that are to use "event handler content attributes", or to create the element and the handler in the same script. Doing thing in the same script is safest because scripts are run to completion before other events can fire.

Catching Mistakes

Check out: https://wahtwg.org/validator/

for validators.

Conformance Requirements

This doc specifices a lot of processing for invalid docs as well as valid ones.

Presentaiton Markup

The majority of presentation markup from prior versions of HTML are no longer allowed.

They were removed because of e.g. poor accessability (it added complexity to figure out how Assistive Tech should handle them).

By using media/presentation-independent markup it's easier to author documents that work for more users (e.g. text based browsers)

It's also generally a lot easier to maintain markup when it's style-independent. (e.g. changing the text color on a site that uses <font color=""> everywhere is a lot more work than changing a single value in a global stylesheet.

Reducing the overall document size is another reason to remove the presentation stuff.

The only presentation stuff left in the HTML spec is the <style> element and style="" attribute. Using the attribute is generally discoraged in prod but can work nicely for rapid prototyping or when an unusal cases when adding another styelsheet would be invonvenient.

The b, i, hr, s, small, and u tags all used to be presentational. They are now redefined to be media independent (though the implementaitons may affect presentation as well)

Syntax Errors

Bascially, shit can get weird with the DOM tree, but browsers are pretty good at figuring out what you meant.

Content Model and Attriubte Value Restrctions

Again, shit can get weird, but browsers do their best.

Further Reading

Other things that spec readers might be interested in:

Character Model for the World Wide Web 1.0: Fundamentals

Unicode Security Considerations

Web Content Accessibility Guidelines (WCAG)