[Zope-dev] Re: [Zope-Checkins] CVS: Zope/lib/python/TAL -TALInterpreter.py:1.69.6.10

Florent Guillaume fg@nuxeo.com
23 Dec 2002 18:51:45 +0100 

Ok thanks for the explanation, I didn't realize this piece of code was
used for attribute replacement too.

> Test checked in by the way.

Thanks a lot. However it doesn't test the case you describe below, does
it?

> > > (And if it's a fix it should be in HEAD too.)
> 
> Why?

Well, because otherwise 2.7 won't have the fix :-)

Florent


On Mon, 2002-12-23 at 18:29, Andy McKay wrote:
> > But why? Why escape double quotes when it's not a reserved character?
> > I really don't understand the need, and the example in the collector
> > doesn't convince me. What is the problem?
> 
> The problem occurs where you want include the value of a variable inside an
> attribute.
> 
> For example:
> 
> <input type="string" tal:attributes="value someValue">
> 
> By default Page Templates replaces the escaped value in the form, unless
> "structure" is specified. If someValue contained a " (eg: test with a "
> quote) then you would get the following invalid html (this is what you
> currently get):
> 
> <input type="string" value="test with a " quote">
> 
> This of course should be (and what the patch changes it to):
> 
> <input type="string" value="test with a &quot; quote">
> 
> If you do not escape double quotes in the Page Template html quoting
> function, you will never be able to easily use Page Templates unless you are
> sure that someValue does not have double quotes escaped. This would mean
> having to import an escaping function into your page templates or adding an
> extra layer of python involved for almost every use of a variable.
> 
> Otherwise you would be living on the edge as you would never be quite sure
> if yout HTML is properly escaped. For example this occurs in almost all of
> the CMF skin. Note that in good old DTML if you use html_quote, you're
> escaping " by default (lib\python\DocumentTemplate\html_quote.py).
> 
> If we are escaping <> and &, I see no reason not to escape " as well.
> 
> And I believe the Zope Book Appendix C needs updating to reflect this.
>
> Test checked in by the way.
> --
>   Andy McKay
-- 
Florent Guillaume, Nuxeo (Paris, France)
+33 1 40 33 79 87  http://nuxeo.com  mailto:fg@nuxeo.com