[Zope-dev] Re: [Zope-Checkins] CVS: Zope/lib/python/TAL
-TALInterpreter.py:1.69.6.10
Florent Guillaume
fg@nuxeo.com
23 Dec 2002 18:51:45 +0100
Ok thanks for the explanation, I didn't realize this piece of code was
used for attribute replacement too.
> Test checked in by the way.
Thanks a lot. However it doesn't test the case you describe below, does
it?
> > > (And if it's a fix it should be in HEAD too.)
>
> Why?
Well, because otherwise 2.7 won't have the fix :-)
Florent
On Mon, 2002-12-23 at 18:29, Andy McKay wrote:
> > But why? Why escape double quotes when it's not a reserved character?
> > I really don't understand the need, and the example in the collector
> > doesn't convince me. What is the problem?
>
> The problem occurs where you want include the value of a variable inside an
> attribute.
>
> For example:
>
> <input type="string" tal:attributes="value someValue">
>
> By default Page Templates replaces the escaped value in the form, unless
> "structure" is specified. If someValue contained a " (eg: test with a "
> quote) then you would get the following invalid html (this is what you
> currently get):
>
> <input type="string" value="test with a " quote">
>
> This of course should be (and what the patch changes it to):
>
> <input type="string" value="test with a " quote">
>
> If you do not escape double quotes in the Page Template html quoting
> function, you will never be able to easily use Page Templates unless you are
> sure that someValue does not have double quotes escaped. This would mean
> having to import an escaping function into your page templates or adding an
> extra layer of python involved for almost every use of a variable.
>
> Otherwise you would be living on the edge as you would never be quite sure
> if yout HTML is properly escaped. For example this occurs in almost all of
> the CMF skin. Note that in good old DTML if you use html_quote, you're
> escaping " by default (lib\python\DocumentTemplate\html_quote.py).
>
> If we are escaping <> and &, I see no reason not to escape " as well.
>
> And I believe the Zope Book Appendix C needs updating to reflect this.
>
> Test checked in by the way.
> --
> Andy McKay
--
Florent Guillaume, Nuxeo (Paris, France)
+33 1 40 33 79 87 http://nuxeo.com mailto:fg@nuxeo.com