Social Media

Don’t touch that tweet

As many people are discovering, Twitter has been compromised, and badly.

It would seem, from what I can piece together from the web sites discussing the problem, the new Twitter interface doesn’t bother to do a little thing called escaping the input so that JavaScript can’t be inserted into Twitter messages. Messages have then been posted that capture the MouseOver event on links and play havoc with the page (if not re-directing you to porn sites).

We’ve been indulgent of Twitter for too long, probably because it’s simple, easy, and free. However, the company’s habit of piling on new additions, without ensuring that they are either robust or secure, has now bit it in the butt. Bit us in the butt, I should say. I frankly have lost trust in the application, and have to re-think if I want to continue using the site and services. At a minimum, I am looking at third party applications rather than accessing Twitter, directly.

Maybe this event is a reminder that Twitter isn’t the only way to communicate; that it’s time to get back to writing. Real writing, with punctuation and words without the vowels removed.

For now, don’t access Twitter until you see all clear messages from reliable sites at Techmeme.

update Netcraft has a nice rundown on the genesis of the problem. And I’m trying TweetDeck for the first time. Don’t really care for it.

second update Why on earth doesn’t Twitter shut down the web site until the problem is fixed? Irresponsible isn’t the word that comes to mind, right now.

third update Supposedly the Twitter XSS exploit was fixed this AM. Oh, but, fa la la!—Twitter also posted some new stuff, so that people are all talking about the cool new stuff—rather than the obvious security flaw the company left in its application, and that it actually left the web site up while fixing the bug.

HTML5 Specs W3C

Review and comment on the W3C HTML5 specification

The IE Blog recently posted a guide to the W3C process of taking HTML5 to Last Call (LC). The writing included a call to those not currently involved in the W3C HTML Working Group (WG) to review the HTML5 specification and file bugs and LC comments.

The HTML WG has good representation from the browser companies, other major vendors, and the accessibility community. However, the participation from web developers, designers, and smaller tool and utility builders is a little sparse (and further representation from vendors, browser developers, and those working with accessibility issues would always be welcome). Since HTML isn’t just a browser specification, and impacts on more than just Firefox, Chrome, IE, Opera, and Safari, it’s important all groups evaluate the HTML5 specification—to ensure that all web community interests are represented in the final effort.

I join with the IE Blog team in recommending that everyone take some time to review HTML5. However, I also realize that the HTML5 specification isn’t a document for the faint of heart, or those short of time. In order to encourage wider review, I’m posting this as a guide through the labyrinth of processing algorithms, new elements, and cat-featured examples that we know as HTML5. First, though, I want to expand on the HTML WG Last Call process introduced in the IE Blog post.

HTML5 Specs W3C

How to comment and when

The most important point to remember during the review is to make sure you’re reviewing the correct document. You’ll want to review the W3C version of the HTML5 specification. Though the WhatWG group maintains a document that is frequently referred to as HTML5, it isn’t comparable to the W3C version of the document, as it does differ from the official W3C version of the HTML5 spec.

The IE Blog mentioned about making comments in the public-html-comments email list. This list is open to everyone, and you don’t have to be a member of the W3C or the HTML WG to send an email or subscribe to this email list. However, if you want your concern addressed within the HTML WG Decision Process, you’ll need to file a bug and do so before October 1st.

Prior to October 1st: Filing Bugs

If you find an error or want to submit a recommended change, and it’s before October 1st, you’re better off filing a bug against the specification. You don’t have to be a member of the W3C or HTML WG in order to file a bug. It’s easy and quick to create a Bugzilla account.

When you do file a bug against the HTML5 specification, make sure you file it against the HTML WG Product. When the bug entry page opens, select “HTML5 Spec (editor: Ian Hickson)” from the Components listed in the page. You can also file bugs against other components, but I’m focusing just on the HTML5 spec in this guide.

You should search through the bugs, first, to see if a bug has already been filed on the error you’re reporting, or the change you’re requesting. No worries, though, if you miss some bugs and end up filing a duplicate: someone will note that it is a duplicate, and process the bug, accordingly.

Provide as much information as you can. Try to be concise, but thorough. The fields you should focus on are the Summary field and the Description. The Summary is a title for the bug and the Description provides the details. You don’t want to change any of the drop-down values and you should be automatically added to the cc list for the bug.

If the bug is non-editorial—not related to fixing an error, including typographical errors—you’ll want to add the NE (Not Editorial) keyword to the keywords field. Adding this keyword also ensures that a copy of the bug is sent to the HTML WG members. If in doubt, leave off the keyword—it will be added by others at a later time. Also add other keywords as you deem appropriate. (Clicking on the Keyword label opens a page with the available keywords.)

If you’re new to filing bugs, there are bug writing guidelines.

Your bug could trigger a lively debate in the bug comments. Don’t be intimidated by the debate. Do join if if you think your doing so helps in determining how the bug is resolved. Don’t join in just to repeat your arguments over and over again, no matter how provoked. No one has ever been impressed with anyone because of what they say in a bug, so don’t try to impress anyone—communicate simply, cleanly, and succinctly.

The editor may not understand what you’re asking and ask for more information. If he does, provide the additional information, or ask him for clarification about what he needs. Don’t expect an immediate response. Some bugs have taken months to be resolved. However, with the new LC timeline, all bugs should be addressed by December.

If the editor agrees with you and modifies the HTML5 specification in order to resolve the bug, review the fix, and signal that you’re you’re happy with it by closing the bug. If you don’t agree with the fix, or if the editor marks the bug as WONTFIX, you have another option: escalate the bug to an issue. You do this by adding the TrackerRequest keyword to the bug. Eventually, the TrackerRequest keyword is changed to TrackerIssue and an issue number assigned.

If you’re following a bug but are not the reporter, and the editor resolves the bug and you’re not happy, you can also trigger a TrackerRequest. You don’t have to be the bug reporter in order to escalate the bug to an issue.

What happens with issues at this point gets a little tricky.

Once an Issue has been raised

Once a bug has been raised to an issue via TrackerRequest in the bug database, it’s made into an issue. All bugs entered into the database before October 1st that end up as issues enter the HTML WG Decision Process. The first phase in the process is to file a Change Proposal for the bug.

Technically, you don’t have to be a member of the HTML WG in order to file a Change Proposal. All you need do is grant ownership of the copyright of your proposal to the W3C and agree to the W3C patent policy. A procedure I’d recommend is to send the Change Proposal as an email to public-html-comments, copy the copyright grant and patent acknowledgment to the end of the proposal, and notify the HTML WG co-chairs of the Change Proposal. You should then be in compliance with the HTML WG Decision Process.

However, filing a Change Proposal when you’re not a member has never been tested, and when I attempted to do so, I received some strong push back. I still think it is a viable approach, but be forewarned that the HTML WG co-chairs may get bitchy about the whole thing. You might be better off just joining the HTML WG. Unless you work for a W3C member, you can easily join the group as an Invited Expert and it doesn’t cost you a penny.

The co-chairs will call for a counter-proposal once you’ve filed your change proposal. If none is filed, the co-chairs will ask for a Call for Consensus on the proposal. If counter or alternative proposals are filed, the co-chairs will make a decision based on all of the proposals—the new Last Call timeline does not include any time for surveys. If you disagree with the decision, and you feel strongly about the issue, file a Formal Objection, covered later.

Filing a Bug after October 1st and Last Call Comments

Bugs filed after October 1st are handled differently. Instead of going through the bug/issue/decision process, the bug is automatically labeled a Last Call comment.

A Last Call comment is equivalent to a working group issue but without the formal change proposal/counter proposal. LC Comments have to be resolved in some way in the working group before the specification can proceed to the next state.

You can also post LC comments to public-html-comments but you might want to make a note in the subject line that you want the comment to be treated as a Last Call comment—or otherwise designate that the comment as something that requires an HTML WG response. So that LC comments sent to public-html-comments can be referenced with a specific identifier and tracked, they will be entered into the bug or issues database.

What Should you say, and how should you say it

The HTML WG may end up with a Last Call comment template, similar to what’s provided for change proposals. Generally, though, there’s a couple of things to keep in mind when writing your comment.

The HTML WG and the HTML WG co-chairs (not to mention the W3C team rep, contact, and Director) want technical discussions. They like technical discussions. Social discussions, or discussions that border on anything related to beliefs, feelings, or global goodness leaves them cold, which then leaves your requested change out in the cold. This means you should word your concerns using technical terms as much as possible and, if relevant to your concern, provide a technical solution.

You don’t have to write a book. In fact, assume that the HTML WG has exactly five minutes to devote to your comment or change proposal, so cover the important bits and leave your inner James Joyce at home.

If your comment or proposal generates discussion, do participate, but do so carefully. There are discussion guidelines for all email groups within the W3C, and there’s an additional Discussion guideline for the HTML WG. To rephrase what the guidelines say:

Participate, but if you find yourself repeating what you’ve said earlier, then stop. And if people disagree with you and you don’t have anything new to add in response, just thank the person, say you disagree, and let it go.

Use a neutral tone of voice. This is tough, because we all know that we’re right and those idiots are wrong. But pretend those idiots are your beloved, white haired old granny, who would be horribly hurt if you responded the way you would like to respond. So treat the idiots kindly and respectfully. If nothing else, a calm, measured response will drive them crazy.

And now, I want to tell you about the wild squash plant in my garden. No, not really. Now I want to mention how you have to stay on topic in the discussions. If you don’t, the co-chairs, otherwise collectively known as “Dad”, will send you a “tut tut” email. This email is going to irritate the hell out of you—so stay on topic.

Of course, I’m one to give advice, considering that I have had some significant difficulties with members of the HTML WG. All I’ll say is that I’m not completely to blame for the problems but I’m not blameless, either, which is usually the way these things go.

For one, I was overly persistent—getting my teeth into something and not letting it go, long past the point when anything useful could be dragged from the discussion. It was bad enough if the topic was technical in nature, but I would also do so about group procedures, and this was the equivalent to fingernails on a chalk board for some in the group.

In addition, I can be a bit of a know-it-all in the discussions. There’s a fine line between being confident of your viewpoint, and being arrogant, sarcastic, or pedantic, and I crossed this line more than once. Sometimes I did so unknowingly; other times, because I was angry or frustrated, or was responding to what I perceived to be know-it-all behavior in others. Regardless of reason, it’s not an effective communication technique.

If you do participate in a debate about your comments or change proposals in the mailing lists, and you recognize both behaviors in others or yourself, just stop. And if you do find yourself getting pissed, walk away. You’ll live longer, and your cat won’t be afraid of you.

Formal Objections

Hopefully, in all of the proposal, counter-proposal, LC comments, and related discussions, decisions will get made most people can live with and the HTML5 specification will progress. Since much of the document has no independent implementations, the W3C will most likely make a call for implementations. During the implementation phase, more problems may be discovered, and there will be additional time for reviewing or filing bugs.

If you find, though, that there was a decision you can’t live with, you do have one final option: file a Formal Objection. A Formal Objection is the procedural equivalent of a missing end tag in an XHTML document: it generates a draconian response. Formal Objections go the Director, otherwise known as Sir Tim Berners-Lee. Sir Tim invented the inter-web tube thing. Sir Tim is a very busy man. I also have the impression that he doesn’t suffer fools gladly. If you’re going to file a Formal Objection, you better make sure you know what you’re doing, and follow the procedure for Formal Objections exactly.

Ah, but we all know that the community interested in HTML5 is an easy going cooperative group, so why worry about things like Formal Objections?

OK, enough with procedures: let’s get onto the document.

HTML5 Specs W3C

The HTML5 Document structure

If you’ve seen the HTML4 specification and are expecting something similar, you’re in for a surprise and not necessarily a pleasant one. The HTML5 document differs significantly.

The HTML5 document not only includes the markup syntax you would expect but it also includes the Document Object Model (DOM) for the HTML elements, as well as the parsing algorithms recommended for applications such as browsers. This leaves us with one very big document that is geared to multiple audiences. What you have to do, then, is dig through the document for the bits that interest you.

From the top:

Section 1: The Introduction

The first section provides an overview of the HTML5 specification and should be read by all audiences. It provides some background information and sets the stage for what follows. It also provides a description of the typographical conventions used in the document.

There’s two phrases that appears in this section and others: normative and non-normative. What non-normative means is that the section is provided for information purposes but isn’t definitive. The normative stuff is the rules and requirements bits.

Section 2: Common Infrastructure

This section is geared more towards application builders, primarily those building HTML parsers, browsers, or utilities. It should also be of interest to web applications builders because it introduces the DOM. Folks interested in HTML elements and their syntax may find most of this section a bit difficult to plod through. However, there is one section, Section 2.2.2 covering Extensibility, that is of interest to authors, as are the sections about general syntax for items such as colors.

Another phrase is introduced in this section: non-conforming. What this means is just what it says: if you do something that’s non-conforming, your document won’t be considered conforming. Oh, your page should still work fine in browsers and other applications, but you’ll get lots of grumbles when you run the page through a validator. I’ll have more on conforming, as compared to deprecation and obsolete later.

Section 3: Semantics, Structure, and APIs of HTML Documents

Section 3.1 is focused more on web application developers and browser builders, so web authors and designers can probably give it a pass. Section 3.2 gets into the structure of HTML elements, and should be read by everyone since it provides basic background for all of the HTML elements. Section 3.2 also contains a reference to the ARIA (Accessible Rich Internet Applications) mappings, so it is especially important that those folks interested in accessibility carefully review the material.

For those interested in accessibility, I also recommend that you check out another document, HTML5: Techniques for providing useful text alternatives. And do check back, in case some of the ARIA material ends up in a separate document, or is significantly re-written. In addition, expect either a new document or section on media accessibility for the new media elements. Support for accessibility is one area of expected change in the HTML5 document in the next several months.

Sections 3.3 through 3.5 are again focused at web developers rather than authors and designers.

Section 4: The Elements of HTML

Section 4 is the money section of the HTML5 document, providing a list of all the HTML elements. Everyone needs to go through this section, but not every component of the section needs review. As I mentioned earlier, the HTML5 specification merges the DOM APIs in with the HTML syntax, so the coverage in this section skips between audiences.

As a rule of thumb, the element syntax and use is covered in the first part of the sub-section related to the element, while the API is covered in the latter part. Many of the elements—such as nav, section, article, div—don’t have unique API needs, so there isn’t an associated DOM section, as they all share the API for one object, HTMLElement. The API for HTMLElement was covered earlier, in Section 3.2.

However, some elements, such as the new audio and video elements, do have their own unique DOM needs, which are covered following the discussion about the element syntax. Note, though, that web application functionality is interwoven among the syntax description, so expect to have to jump about a bit. Regardless, web authors should read through the entire section and just ignore the programmatic bits.

There are some new form elements, but most of the new form functionality comes from newly added form input types, which are covered in Section 4.10.7. It’s a bit tricky going through this section, as implementation of the new form functionality is sporadic, at best. Wikipedia has a table that shows which form input type is implemented in which browser (among other things). What you can look for in this sections is inconsistencies that would normally be driven out in implementation (or that could create havoc if implemented, as is).

There are also new form attributes, such as autofocus, placeholder, and the like. Most of the new attributes have been implemented in at least a couple of browsers.

Section 4.11 is labeled “Interactive Elements” and web authors may assume this section is about JavaScript-related functionality and think to skip it. However, this section covers many of the new declarative elements, which require no JavaScript. Declarative elements are ones where the functionality is baked into the element rather than implemented with code. As with form input types, though, many of these new declarative elements have not yet been implemented by any browser.

There’s a section titled “Common idioms without dedicated elements”. Oh, I’m really trying to get rid of this section. It’s best to let usage derive organically, rather than try to dictate it within a web specification. Feel free to read the section, but remember all of the material is this section is suggestion, only.

There’s also a document you may want to glance through that covers just the elements and their syntax, HTML: The Markup Language Reference. It might be a lot easier to read, though you should review the HTML5 document for bugs and concerns during this Last Call process.

Another document of interest is the HTML Canvas2D Context, which covers the guts, if I may use such an indelicate term, for the Canvas element. If you’re interested in working with Canvas, you’ll definitely want to check out this document.

Section 5: Loading Web Pages

This section and the next are actually old friends that are under new management. If you’ve worked with JavaScript applications in the last ten years, you know about the Window object, History, and so on. You also know that this functionality has never been standardized. Well, it is in HTML5.

It’s good to see this functionality finally standardized. Unfortunately, and there’s little disagreement about this, it really doesn’t fit within an HTML5 specification. However, trying to separate it out from the document was something none of us wanted to attempt—not without a guarantee that the effort wouldn’t be disregarded and rejected by the powers-that-be.

This section is for web and application developers. The page load processing model might be of interest to web authors and designers curious in how it works, but the focus of this section really is on developers. And web application developers should give this section a very careful perusal, because they may find some of their existing web applications no longer working as expected because of what’s documented in this section.

Section 6: Web Application APIs

The title tells you what you need to know, upfront: this is for developers. This is the remaining components of what used to be known as the Browser Object Model, and also includes an overview of event handling, events, and timers. Web authors and designers can also give this section a pass.

Section 7: User Interaction

Everyone is going to want to go through Section 7. It describes new attributes, such as hidden, and standardized versions of functionality, such as drag and drop and contenteditable. What’s interesting about this section is that we’re looking at a blend between functionality and structure, which is going to create a challenge for those building web sites. Should the structure components be added by designers, such as the use of the hidden attribute, or the drag and drop attributes? Or do the application developers add these in using JavaScript when the pages are loaded?

Web page authors should go through the section to understand what you can do with a web page. Web application developers should peruse it more carefully; to review the functionality for possible gotchas and future problems.

Section 8: The HTML Syntax

This section provides an overview of the HTML syntax, but the description is given from a browser parsing perspective, rather than in language geared to web authors, and even web developers. If you’re a web author and developer, do feel free to look through the section, but if you find yourself losing interest in the first few paragraphs, you can probably skip this section.

The section that might interest you the most is Section, which covers optional tags. This tells you when you can or cannot omit tags. It’s not easy to follow, but it can help you determine why you’re having problems with your documents, and getting all those errors and warnings when you test your documents in a validator.

Section 9: The XHTML Syntax

If you’re like me, and mostly use XHTML for your documents, give this section a once over. However, you may also want to examine another document, HTML/XHTML Authoring Compatibility Guidelines. This document provides an overview of the differences in syntax between HTML5 and XHTML5, including quoting attribute values, closing elements, and so on.

Section 10: Rendering

Now this is an interesting section. This is where the HTML5 editor is providing guidance about how elements are to be rendered. It’s important to note, though, the following disclaimer in the very start of the section:

User agents are not required to present HTML documents in any particular way. However, this section provides a set of suggestions for rendering HTML documents that, if followed, are likely to lead to a user experience that closely resembles the experience intended by the documents’ authors. So as to avoid confusion regarding the normativity of this section, RFC2119 terms have not been used. Instead, the term “expected” is used to indicate behavior that will lead to this experience.

To me, the use of expected sets expectations, but you can’t depend on this. As we are finding, how many of the new elements and form types are rendered does differ between browsers and operating system, and there’s little we can do to style most of the elements.

Look through the section, note inconsistencies, and file any concerns.

Section 11: Obsolete Elements

Earlier I mentioned about the non-conforming phrase. Unlike HTML4, the concept of deprecation is no longer supported; neither is the concept of validation. Now, a use of an element or attribute is conforming or not, and an element can be obsolete but conforming, which is the HTML5 version of deprecation. In addition, elements and attributes no longer go through a deprecation period, first, but can be labeled immediately obsolete, such as the longdesc attribute.

The whole point on this change is that supposedly no element or attribute will ever not be supported by user agents, which is something that deprecate and obsolete imply in earlier versions of HTML. I’ll be frank and say I don’t agree with this change or philosophy, or the entire obsolete but conforming designation, or making elements and attributes obsolete without first deprecating them. There is an issue on this currently (Issue 106), but no change proposals. However, I am filing a LC Comment on this section, and the concepts.

In the meantime, look through the list, see if you can spot any old friends among the newly dead.

Section 12: IANA Considerations

Of interest to application and web developers, but probably not of interest to web authors and designers.

That’s the last of the sections. Note that you don’t have to rush out today and begin reviewing HTML5, because the formal call for Last Call comments won’t happen until next April or May, and you’ll still have a period of time to comment, following. However, the sooner you do file concerns and bugs, the sooner they’re addressed (and the sooner they’re implemented the way you want).

Have fun.


Provocative language

Well, this is a kicker.

Since I encouraged a person to file a bug on HTML5, when the editor refused to make the fix, I pushed to have the item made into an issue. It wouldn’t be fair for me to do so and not provide a change proposal. However, I was informed that I needed to rejoin the group, in order to file a change proposal.

This is something I don’t want to do. I don’t like working with the HTML WG. I don’t feel comfortable in the group. However, there is no way a person from outside the group, who files a bug that becomes an issue, can walk that item through the issue process unless they are a member. Our alternative is to bypass the issue process altogether and file a Formal Objection, which is a heck of a lot more draconian.

OK, fine: if the only way to file a change proposal is to be a member, because of the patent policy, I’ll rejoin. Then I received an email back from the W3C contact for the group, telling me I could rejoin only on a probationary basis and only if I, to quote, avoid filibustering and provocative language.

Provocative language? Leaving aside telling me to avoid “filibustering” in an email group that can have discussions spanning months, and issues that can take years to resolve, what exactly is “provocative language”? Is this article, where the BBC talks about HTML5 becoming adrift and points to another writing of mine that questions why Apple, Mozilla, and Opera are working against open standards considered provocative language?

Maybe the provocative language is the discussion related to the divergence of the WhatWG and W3C HTML documents, and the formal objection I filed related to this matter? Or it could be because I called the HTML5 effort a mess?

Perhaps the provocative language is contained in this recent article, where I discuss the lack of women in leadership positions at the W3C, the browser companies, and the WhatWG, and the fact that the women are too frequently drowned out in the contentious debates, and seldom acknowledged.

I suppose any one of these could be considered “provocative language”. The question I asked the W3C contact and the co-chairs, when I declined their so generous invitation: is any of this false?

Probation in an open standards effort such as those in the W3C is anathema to open and honest communication. Restrictions to avoid “filibustering” or “provocative language” doubly so.