[Zope-dev] Re: [Zope-Checkins] CVS: Zope/lib/python/TAL -TALInterpreter.py:1.69.6.10

Steve Alexander steve@cat-box.net
Tue, 24 Dec 2002 10:05:24 +0000


> The problem occurs where you want include the value of a variable inside an
> attribute.
> 
> For example:
> 
> <input type="string" tal:attributes="value someValue">
> 
> By default Page Templates replaces the escaped value in the form, unless
> "structure" is specified. If someValue contained a " (eg: test with a "
> quote) then you would get the following invalid html (this is what you
> currently get):
> 
> <input type="string" value="test with a " quote">
> 
> This of course should be (and what the patch changes it to):
> 
> <input type="string" value="test with a &quot; quote">
> 
> If you do not escape double quotes in the Page Template html quoting
> function, you will never be able to easily use Page Templates unless you are
> sure that someValue does not have double quotes escaped. This would mean
> having to import an escaping function into your page templates or adding an
> extra layer of python involved for almost every use of a variable.

I think page templates should escape quotes in tal:attributes, but not 
under other circumstances.

Also, I believe that an alternative in the example you give would be to 
use single quotes. This is consistent with how quoteattr works:

 >>> from xml.sax.saxutils import quoteattr
 >>> print quoteattr('foo" bar')
'foo" bar'
 >>> print quoteattr("""foo' bar""")
"foo' bar"
 >>> print quoteattr("""foo'" bar""")
"foo'&quot; bar"
 >>>

quoteattr only resorts to using &quot; when there is no alternative -- 
that is, when the string being quoted contains both a single quote and a 
double quote.

So, perhaps an alternative fix would be to revert the current fix, and 
instead make tal:attributes use quoteattr.

--
Steve Alexander