[drupal-devel] [bug] Drupal forms do not validate as xhtml 1.0

stefan nagtegaal drupal-devel at drupal.org
Sat Apr 2 09:39:35 UTC 2005

Issue status update for http://drupal.org/node/10637

 Project:      Drupal
 Version:      cvs
 Component:    user system
 Category:     bug reports
 Priority:     normal
 Assigned to:  Anonymous
 Reported by:  tangent
 Updated by:   stefan nagtegaal
 Status:       won't fix

>From 4.6 this _is_ done inside the settings.php...

stefan nagtegaal

Previous comments:

September 8, 2004 - 01:18 : tangent

Attachment: http://drupal.org/files/issues/form_sample.html (623 bytes)

When the user is not logged in, Drupal adds a hidden input named
PHPSESSID to forms. This input is misplaced according to xhtml 1.0
specs. It is currently placed immediately inside the form tag but
according to the spec it must be placed in a block level tag (e.g.,
"p", "h1", "h2", "h3", "h4", "h5", "h6", "div", "pre", "address",
"fieldset", "ins", "del").
I recommend placing this hidden input either inside it's own div
element or inside the container div  which contains the rest of the
I would fix this in my theme if I could track down where this variable
is added but I haven't been able to so far.
I have attached an html sample with valid and invalid markup. You can
run it through the W3C validator at http://validator.w3.org/.


September 11, 2004 - 16:54 : tangent

This problem persists in the latest cvs code.


September 11, 2004 - 17:02 : Steven

This has nothing to do with Drupal. It is a PHP feature, so the bug
should be reported with PHP.
Turn off session.use_trans_sid in php.ini or through .htaccess to get
rid of the PHPSESSID in URLs.


November 9, 2004 - 02:29 : lvadillo

I've been trying to validate an xtemplate I'm going to put on line
(XHTML 1.0 strict), to my surprise there were quite a few validating
1) The ones due to to PHPSESSID went away when adding in .htaccess
"php_flag session.use_trans_sid off", as recommended in other threads
here. I still don't really know what I'm taking away with this command,
anyway, I would say that even with it "on" it should be
W3C compliant. I've looked at the coding (I have no idea about php) and
found some type="hidden"
inputs that are not within a block as the spec calls for some "


November 9, 2004 - 02:32 : lvadillo

2) Besides the PHPSESSID, I found that there were also others not
inside the normal "" block (in the login screen), these were "function
form_hidden()" and "function form_button()" in COMMON.INC. I then put a
 with no height and bottom to validate them and be non-intrusive to
3) The "print" option of the book was also non conforming, I edited
"function book_print()" and "function book_print_recurse()" in
BOOK.MODULE, to show the coded as XHTML 1.0 as the rest (the dirty way
I would say) and cleaned a couple of validating errors.


November 9, 2004 - 09:10 : xand

Are there any side effects to setting 
"php_flag session.use_trans_sid off"
in .htaccess? Otherwise, why is it not done with the default Drupal
.htaccess file?

More information about the drupal-devel mailing list