[ZPT] Re: [Zope] prevent quoting in tal:attributes

fergal at esatclear.ie fergal at esatclear.ie
Thu Oct 9 05:10:27 EDT 2003


I think it's far more useful than a mode which passes everything through
unescaped. If you pass through ", ' or an & which is not part of an entity
then you still have to do lots of work, inside your app, escaping strings
to make sure you don't end up with broken XML. There is absolutely no need
for to be able to pass an uescaped " or ' into an attribute. The same
applies to an ampersand which is not part of an entity. Passing them
through will lead to broken pages.

If you can find a good way to describe it then it shouldn't be confusing.
This page

http://www.zope.org/Documentation/Books/ZopeBook/2_6Edition/AppendixC.stx

doesn't describe the the current quoting behaviour for tal:attributes. Is
it the latest version?

Stealing from the tal:replace documentation - how about this

The default replacement behavior is text, which replaces angle-brackets,
ampersands, single and double quotes with their HTML entity equivalents.
The entities keyword performs the same escaping except it will not escape
an ampersand which is part of a well formed entity, allowing HTML/XML
entities to be inserted. This can cause problems if the text contains
unanticipated entities (eg. text submitted via a web form), which is the
reason that it is not the default. However it will not result in badly
formed HTML/XML.

The essential difference for me is the last sentences. Compare them to 

The structure keyword passes the replacement text through unchanged,
allowing HTML/XML markup to be inserted. This can break your page if the
text contains unanticipated markup (eg. text submitted via a web form),
which is the reason that it is not the default.

So yes, it's a bit more confusing but the great thing about TAL is that
(except for structures) you don't have to ever worry about escaping things.
It would be nice if we could make the entities mode as worry free.

I think it would also be nice to have it available on tal:replace too. I'd
imagine a lot of uses of the structure keyword are simply for squeezing an
entity into the page. Structure is a necessary evil but if we can provide a
safe alternative for some uses of it, that would be nice,

F


F

Original Message:
-----------------
From: Chris Withers chrisw at nipltd.com
Hmmm... the example I was objecting to was:

hello &name; "how are you"

into

hello &name; "how are you"

...which quotes some things and not others, which can only be confusing!

Chris



--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .





More information about the ZPT mailing list