[Zope] TaintedString, how is it determined, where ?

Jamie Heilman jamie@audible.transient.net
Wed, 7 May 2003 13:44:57 -0700


> I am playing with the html_quote function, trying to get it to quote ALL
> html entities, not just the basic ones cgi.escape() handles.

You don't need to do that if you're serving the content with the
correct character set.
 
> I've got that part working well enough, though I had to modify Zope code ...
> Is it possible to monkey patch (or in any other way modify) from a product a
> function (and not a class) ?

I've found, where there's a will there's a way, but you really don't
need to in this case.

> The problem I discovered is that only "tainted strings" are passed to
> html_quote.  BUT what Zope determines to be "tainted" isn't "wide" enough
> for my needs.  In my case, strings with latin-1 accents are not deemed
> "tainted", which means they don't get quoted by the code I have in place
> (Which would replace "é" with "é").

Why not just return the document with the charset header set to
iso-8859-1?

> I could just write a new PythonScript or something like that to do it ...
> But since the architecture is allready in place to do it, I'd rather just
> modify that.

I'd advise against that, cgi.escape gets used a lot, there's no point
in making it more expensive than it needs to be.
 
-- 
Jamie Heilman                   http://audible.transient.net/~jamie/
"Paranoia is a disease unto itself, and may I add, the person standing
 next to you may not be who they appear to be, so take precaution."
						-Sathington Willoughby