When the user is not logged in, Drupal adds a hidden input named PHPSESSID to forms. This input is misplaced according to xhtml 1.0 specs. It is currently placed immediately inside the form tag but according to the spec it must be placed in a block level tag (e.g., "p", "h1", "h2", "h3", "h4", "h5", "h6", "div", "pre", "address", "fieldset", "ins", "del").

I recommend placing this hidden input either inside it's own div element or inside the container div which contains the rest of the form.

I would fix this in my theme if I could track down where this variable is added but I haven't been able to so far.

I have attached an html sample with valid and invalid markup. You can run it through the W3C validator at http://validator.w3.org/.

CommentFileSizeAuthor
form_sample.html623 bytestangent

Comments

tangent’s picture

tangent commented

This problem persists in the latest cvs code.

Steven’s picture

Steven commented

This has nothing to do with Drupal. It is a PHP feature, so the bug should be reported with PHP.

Turn off session.use_trans_sid in php.ini or through .htaccess to get rid of the PHPSESSID in URLs.

lvadillo’s picture

lvadillo commented

I've been trying to validate an xtemplate I'm going to put on line (XHTML 1.0 strict), to my surprise there were quite a few validating errors.

1) The ones due to to PHPSESSID went away when adding in .htaccess
"php_flag session.use_trans_sid off", as recommended in other threads here. I still don't really know what I'm taking away with this command, anyway, I would say that even with it "on" it should be
W3C compliant. I've looked at the coding (I have no idea about php) and found some type="hidden"
inputs that are not within a block as the spec calls for some "

2) Besides the PHPSESSID, I found that there were also others not inside the normal "

" block (in the login screen), these were "function form_hidden()" and "function form_button()" in COMMON.INC. I then put a

with no height and bottom to validate them and be non-intrusive to layout.

3) The "print" option of the book was also non conforming, I edited "function book_print()" and "function book_print_recurse()" in BOOK.MODULE, to show the coded as XHTML 1.0 as the rest (the dirty way I would say) and cleaned a couple of validating errors.

lvadillo’s picture

lvadillo commented

CONTINUES...

2) Besides the PHPSESSID, I found that there were also others not inside the normal "

" block (in the login screen), these were "function form_hidden()" and "function form_button()" in COMMON.INC. I then put a

with no height and bottom to validate them and be non-intrusive to layout.

3) The "print" option of the book was also non conforming, I edited "function book_print()" and "function book_print_recurse()" in BOOK.MODULE, to show the coded as XHTML 1.0 as the rest (the dirty way I would say) and cleaned a couple of validating errors.

xand’s picture

xand commented

Are there any side effects to setting

"php_flag session.use_trans_sid off"

in .htaccess? Otherwise, why is it not done with the default Drupal .htaccess file?

Stefan Nagtegaal’s picture

Stefan Nagtegaal commented

From 4.6 this _is_ done inside the settings.php...