[Zope-dev] Re: [Zope-Checkins] CVS: Zope/lib/python/TAL -TALInterpreter.py:1.69.6.10

Andy McKay andy@agmweb.ca
Mon, 23 Dec 2002 09:29:54 -0800


> But why? Why escape double quotes when it's not a reserved character?
> I really don't understand the need, and the example in the collector
> doesn't convince me. What is the problem?

The problem occurs where you want include the value of a variable inside an
attribute.

For example:

<input type="string" tal:attributes="value someValue">

By default Page Templates replaces the escaped value in the form, unless
"structure" is specified. If someValue contained a " (eg: test with a "
quote) then you would get the following invalid html (this is what you
currently get):

<input type="string" value="test with a " quote">

This of course should be (and what the patch changes it to):

<input type="string" value="test with a &quot; quote">

If you do not escape double quotes in the Page Template html quoting
function, you will never be able to easily use Page Templates unless you are
sure that someValue does not have double quotes escaped. This would mean
having to import an escaping function into your page templates or adding an
extra layer of python involved for almost every use of a variable.

Otherwise you would be living on the edge as you would never be quite sure
if yout HTML is properly escaped. For example this occurs in almost all of
the CMF skin. Note that in good old DTML if you use html_quote, you're
escaping " by default (lib\python\DocumentTemplate\html_quote.py).

If we are escaping <> and &, I see no reason not to escape " as well.

And I believe the Zope Book Appendix C needs updating to reflect this.

> > > (And if it's a fix it should be in HEAD too.)

Why?

Test checked in by the way.
--
  Andy McKay