[ZPT] Re: [Zope] prevent quoting in tal:attributes
Dieter Maurer
dieter at handshake.de
Wed Oct 1 17:38:31 EDT 2003
Fergal Daly wrote at 2003-10-1 21:17 +0100:
> ...
> I can understand the wish to sometimes put entities into attributes but if
> it's enabled by default, without a way to turn off then that's not good there
> are plenty of situations where you definitely want "&something;" to be
> substituted into the document as "&something;",
You can easily get the effect of quoting when it is not done for you (provided
that "&" is not turned into "&").
There is no way to get the effect of "not quoting" when it is done
for you.
I am not sure whether there is a security risk (similar to the one
given by not quoting HTML fragments). In principle, an entity
reference can expand to anything (defined in the document type).
Dieter
More information about the ZPT
mailing list