[Zope-dev] Re: [Zope-Checkins] CVS: Zope/lib/python/TAL -TALInterpreter.py:1.69.6.10
Steve Alexander
steve@cat-box.net
Tue, 24 Dec 2002 10:05:24 +0000
> The problem occurs where you want include the value of a variable inside an
> attribute.
>
> For example:
>
> <input type="string" tal:attributes="value someValue">
>
> By default Page Templates replaces the escaped value in the form, unless
> "structure" is specified. If someValue contained a " (eg: test with a "
> quote) then you would get the following invalid html (this is what you
> currently get):
>
> <input type="string" value="test with a " quote">
>
> This of course should be (and what the patch changes it to):
>
> <input type="string" value="test with a " quote">
>
> If you do not escape double quotes in the Page Template html quoting
> function, you will never be able to easily use Page Templates unless you are
> sure that someValue does not have double quotes escaped. This would mean
> having to import an escaping function into your page templates or adding an
> extra layer of python involved for almost every use of a variable.
I think page templates should escape quotes in tal:attributes, but not
under other circumstances.
Also, I believe that an alternative in the example you give would be to
use single quotes. This is consistent with how quoteattr works:
>>> from xml.sax.saxutils import quoteattr
>>> print quoteattr('foo" bar')
'foo" bar'
>>> print quoteattr("""foo' bar""")
"foo' bar"
>>> print quoteattr("""foo'" bar""")
"foo'" bar"
>>>
quoteattr only resorts to using " when there is no alternative --
that is, when the string being quoted contains both a single quote and a
double quote.
So, perhaps an alternative fix would be to revert the current fix, and
instead make tal:attributes use quoteattr.
--
Steve Alexander