Photo of Terence Eden. He has a beard and is smiling.

Smart Quotes and Coding Examples

· 3 comments · 500 words · read ~509 times.

Every so often, I copy and paste some code from a website and it utterly fails. This is probably a good reminder not to practise ✂️ & 📋 development, but it is also a reminder that "smart" formatting often trips up new students.

Here are a few examples I've seen recently - produced as a result of computers trying to be cleverer than humans, and humans not checking if computers are being stupid.

Curly Quotes

Screenshot of an XSS attempt with smart quotes.

Is this code valid?

<a href=“example.html”>read more</a>

Yes! Let's read the HTML Specification on the syntax of attributes:

Unquoted attribute value syntax

The attribute name, followed by zero or more ASCII whitespace, followed by a single U+003D EQUALS SIGN character, followed by zero or more ASCII whitespace, followed by the attribute value, which, in addition to the requirements given above for attribute values, must not contain any literal ASCII whitespace, any U+0022 QUOTATION MARK characters ("), U+0027 APOSTROPHE characters ('), U+003D EQUALS SIGN characters (=), U+003C LESS-THAN SIGN characters (<), U+003E GREATER-THAN SIGN characters (>), or U+0060 GRAVE ACCENT characters (`), and must not be the empty string.

If you write <a href=example.html>read more</a>, the HTML parser will take you to the page example.html.

But if you write <a href=“example.html”>read more</a>, the parser will literally interpret the string and take you to the page %E2%80%9Cexample.html%E2%80%9D

Smart quotes may work - but they may also behave unexpectedly.

The same problem occurs on the command line:

Screenshot of a command line which has curly quotes.

That's sqlmap -u “URL” … - some command line programs will ignore the quotes - but most won't.

A grave mistake

The same issue occurs with single quotes. Apostrophes become directional.

SQL statements where the quotes have become accent characters.

Will this code work SELECT * FROM whatever WHERE thing = `example´; ? Nope!

We've known about these problems for decades.

When is a dash not a dash?

On the command line, it's common to write -h or --help. That's either a single or double hyphen.

The problem is, there are lots of typographical hyphens. Some website publishing systems will "helpfully" convert a humble hyphen into an exotic "en-dash". While some word processors will take -- and transmogrify it into —.

This leads to code like ./foo --scan becoming ./foo —scan

Consider this example:

Screenshot of a command line invocation which has a mixture of dashes and en-dashes.

Can you tell which are en-dash and which are hyphens?

For a practical example, try running this code: nmap –h - how does it compare to nmap -h ?

A small plea

Dear educators everywhere. Your students are going to copy and paste the code that you put in your examples. Before you publish that blog post, or send out that PowerPoint, please take five minutes to make sure the examples you include actually work properly.

And, to students, STOP COPYING AND PASTING CODE! You'll learn much more if you type things in yourself. By using tab-complete and judicious use of --help, you'll understand what the options are and what they do. That's much more important than mindless repetition.

Share this post on…

  • Mastodon
  • Facebook
  • LinkedIn
  • BlueSky
  • Threads
  • Reddit
  • HackerNews
  • Lobsters
  • WhatsApp
  • Telegram

3 thoughts on “Smart Quotes and Coding Examples”

  3. DinoNerd says:

    Smart quotes are arguably the earliest example of a tendency that's since gone much much farther in computer interface design - substituting aesthetics for clarity and precision.

    Alternatively, that honor goes to the people who converted html from a markup language that specified intent - emphasis etc. - leaving it up to the browser to interpret that in a way that worked for the user - to one that attempted to produce the exact appearance desired by the page designer, useless to anyone with disabilities, or sometimes even the wrong sized screen.

    Either way, that tendency has since gone much farther. Some people would rather have a beautiful tool of limited, inefficient functionality, than one that does the job as efficiently as possible. I presume they spend more time gazing at their beautiful computer screens than trying to use the computer for anything except an art exhibit. But sadly, many of them are leading the design teams of many software and hardware vendors.

    Reply

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.

Allowed HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">