[Zope] Zope 2.7.2 breaks Plone 2.0.3 login_form

Passin, Tom tpassin at mitretek.org
Fri Jul 23 16:59:00 EDT 2004


> Passin, Tom
I wrote -
 
> Hey, Fred!
> 
> Don't want to harp on this but the XML Rec does not agree with the
> notion of "delimiter in context".  A CDATA section exists specifically
> to say "This may look like markup but it isn't".  The XML 1.0 Rec says
> 
> 'Definition: CDATA sections MAY occur anywhere character data may
occur;
> they are used to escape blocks of text containing characters which
would
> otherwise be recognized as markup. CDATA sections begin with the
string
> "<![CDATA[" and end with the string "]]>":"'
> 
> And also it goes on to say this -
> 
> 'Within a CDATA section, only the CDEnd string is recognized as
markup,
> so that left angle brackets and ampersands may occur in their literal
> form; they need not (and cannot) be escaped using "&lt;" and "&amp;"'
> 
> I'd say that is pretty definitive, wouldn't you?  If there is some
folk
> "knowledge" about CDATA sections built into the parser that thinks
> otherwise, I'd say the parser is non-conformant about CDATA sections
> (hmm, I almost wrote that "C-sections"!).

I just looked at the HTML 4.01 Rec, and the script element is declared
to be of type "CDATA".  The Rec adds these words -

"Although the STYLE and SCRIPT elements use CDATA for their data model,
for these elements, CDATA must be handled differently by user agents.
Markup and entities must be treated as raw text and passed to the
application as is. The first occurrence of the character sequence "</"
(end-tag open delimiter) is treated as terminating the end of the
element's content. In valid documents, this would be the end tag for the
element."

Note that this use of the term "CDATA" is specific to SGML (as opposed
to XML) and has nothing to do with CDATA sections.  I know this is
confusing - see Joe English's page for some explanation - 

http://www.flightlab.com/~joe/sgml/cdata.html

Anyway, terminating the string interpretation upon finding "</" is
apparently being done by an HTML parser, and what's more is legal and
required for it to do.  So at a minimum the browser's parser will (or at
least may, depending on how strict it is) do it, regardless of what Zope
does.  That agrees with my experience except that I didn't realize it
was legal.

The upshot is that the Plone template is written incorrectly and it is
just lucky that it has worked up until now.  Well, who knew?  

Cheers,

Tom P


More information about the Zope mailing list