[ZPT] RE:Re: [Zope] prevent quoting in tal:attributes
fergal at esatclear.ie
fergal at esatclear.ie
Thu Oct 2 04:58:57 EDT 2003
So everybody needs to add code to quote &s in all variables that will be used as attributes now? This doesn't sound good to me. There is a lot of code out there that currently works perfectly no matter what your strings contain (and remember some of these strings are entered by users so they could contain anything). Now all this code has to be rewritten to quote &s.
I'm not saying there should be only one way of handling strings. Both modes should be available. My point is that the old behaviour should be the default unless you want to subtly break lots of existing code,
F
Original Message:
-----------------
From: dieter at handshake.de
Fergal Daly wrote at 2003-10-1 21:17 +0100:
> ...
> I can understand the wish to sometimes put entities into attributes but if
> it's enabled by default, without a way to turn off then that's not good there
> are plenty of situations where you definitely want "&something;" to be
> substituted into the document as "&something;",
You can easily get the effect of quoting when it is not done for you (provided
that "&" is not turned into "&").
There is no way to get the effect of "not quoting" when it is done
for you.
I am not sure whether there is a security risk (similar to the one
given by not quoting HTML fragments). In principle, an entity
reference can expand to anything (defined in the document type).
Dieter
--------------------------------------------------------------------
mail2web.com™ - Check your email from the web at http://mail2web.com.
More information about the ZPT
mailing list