[ZPT] RE:Re: [Zope] prevent quoting in tal:attributes
Jamie Heilman
jamie at audible.transient.net
Fri Oct 3 04:58:40 EDT 2003
fergal at pop.esatclear.ie wrote:
> Sometimes there is no XML expansion available, sometimes expanding
> the entities is just a really bad idea (like when the entities are
> &chapter1;, &chapter2; etc., it would be nice not to expand them
> inline).
OK, I'll conceed the need for a keyword toggle (or some like device)
for entity quoting in XML. I don't do much work in it, so my
knowledge of entity declaration was too lacking to see the necessity
at first, but I did some reading so I could understand your examples
and now I see your point. I'm still loathe to see this applied to
text/html just because its makes building insecure templates that much
more possible, but I imagine that it may become necessary with
application/xhtml+xml documents.
Anyway, I think we can at least agree that quoting dynamic attributes
by default is preferable over not. Yes? Which would still leave us
with the bug Evan has been trying to squash, which interestingly
enough I can't seem trigger.
Evan, you were saying that given:
<img alt="&" tal:attributes="alt request/alt|default" />
The outcome would be <img alt="&amp;" /> assuming request/alt
didn't exist, correct? Because I don't see that behavior in my tree.
I get <img alt="&" /> which is exactly what I expect to get. So
maybe I don't understand the nature of the issue you were trying to
fix...
--
Jamie Heilman http://audible.transient.net/~jamie/
"Most people wouldn't know music if it came up and bit them on the ass."
-Frank Zappa
More information about the ZPT
mailing list