[ZPT] Re: [Zope] prevent quoting in tal:attributes

Jamie Heilman jamie at audible.transient.net
Fri Sep 26 16:09:42 EDT 2003


Dieter Maurer wrote:
> Why not?
> Sometimes it is essential to have *unquoted* character entities
> in attributes.
> I would not mind if we would replace "structure" by some other
> keyword. However, the effect would be the same as that of "structure":
> suppress the usual auto-quoting.

If you allow >, <, or " without quoting you've provided a gateway for
generating broken markup.  You might able to just allow all character
entities without causing too many problems, although frankly I don't
entirely trust it.  At one point I thought Zope did this.  (You may
remember that some over ambitious programmer at Netscape thought
javascript entities would be a swell idea, thus cursing Navigator
users to a life of difficult to detect javascript exploits.
Thankfully mozilla didn't carry that brokenness forward.)  I still
don't entirely understand the need though.  If you want to put Ä in an
attribute, just do it, and send the page with the proper character
encoding... is there something I'm missing?

-- 
Jamie Heilman                     http://audible.transient.net/~jamie/



More information about the ZPT mailing list