There are two quite different reasons for implementing HTML generation on a website. The first reason is to insert dynamic content, content that comes from a database or is algorithmically generated, into pages. The second reason is templating; to ensure that standard, site-wide parts of the HTML, such as headers and footers, are pulled from a single source. The goal of the first is to have a dynamic, database-driven site. The goal of the second is to avoid having to edit tens, or hundreds, of HTML files when the site design changes, and to avoid copy-and-paste coding.
Most dynamic web applications solve both of these problems with a single, powerful, HTML generation language. Pylons uses Mako. Ruby on Rails and PHP use templates with escapes and inline code. I’ve never liked these solutions because they seem too powerful and too error prone. It’s very easy to leave out a closing tag or forget a critical attribute. And nothing other than good discipline and code review is stopping a web designer (or an attacker) from bypassing the application’s pretty MVC structure and opening a socket to connect to the database server in
viewpost.php. But people have continued to use these HTML generation languages, because they were the only solution to a tough problem.
So why is it important to make this distinction between the two kinds of HTML generation? And can this distinction point the way to eliminate the problems with these HTML generation tools?
If the only reason left to generate HTML is to modularize various static site components, very simple, old-school solutions like server-side includes, or solutions like XSLT that were only ever intended for static document templating1 become viable again. Both of these solutions are simple enough and protected enough to trust non-programmer designers with. This is how I am generating the two HTML pages on Spydentify now, and I’m extremely happy with it.
Using this pattern, all HTML generation can always be safe and compartmentalized, and overly powerful, ugly, and error-prone HTML generation languages can be left behind forever.