[ZPT] Re: [Zope-Annce] TAL Hotfix 2004-07-14 for Zope 2.7.0, 2.7.1
Fred Drake
fred at zope.com
Mon Jul 19 11:18:29 EDT 2004
Dieter Maurer wrote:
> I read it above: the interpolated translation has not been
> HTML/XML quoted. "Interpolated translation" means "values substituted
> in slots of translated elements" (whatever that may be in detail).
On Monday 19 July 2004 02:41 am, Chris Withers wrote:
> So, just to check, this hotfix was released because someone might provide
> a msgstr that might contain illegal HTML, and that might get through
> unquoted, and that's IT?!
No, that's not it at all.
The change doesn't affect text from the message, but text substituted into the
fields of the message.
For example:
<span i18n:translate="">
Some text
<i18n:field name="foo" tal:replace="request/something"/>
more text
</span>
The message id is "Some text ${foo} more text", but the substitution for
${foo} needs to be quoted, since it comes from an untrusted source. That's
what this hotfix adds.
-Fred
--
Fred L. Drake, Jr. <fred at zope.com>
Zope Corporation
More information about the ZPT
mailing list