[ZPT] Re: [Zope] prevent quoting in tal:attributes

Chris Withers chrisw at nipltd.com
Wed Oct 15 07:42:25 EDT 2003


fergal at esatclear.ie wrote:
> I think it's far more useful than a mode which passes everything through
> unescaped. If you pass through ", ' or an & which is not part of an entity
> then you still have to do lots of work, inside your app, escaping strings
> to make sure you don't end up with broken XML.

Why? If we had the proposed fully quote option I mentioned, there is no problem...

> There is absolutely no need
> for to be able to pass an uescaped " or ' into an attribute. The same
> applies to an ampersand which is not part of an entity. Passing them
> through will lead to broken pages.

Well, I don't know whether to agree or not, how abotu 3 options then?
(still with he 'everything quoted' option being the default..)

There's also still the question of how to choose whether you want url quoting or 
html quoting...

> If you can find a good way to describe it then it shouldn't be confusing.
> This page
> 
> http://www.zope.org/Documentation/Books/ZopeBook/2_6Edition/AppendixC.stx
> 
> doesn't describe the the current quoting behaviour for tal:attributes. Is
> it the latest version?

probably...

> The default replacement behavior is text, which replaces angle-brackets,
> ampersands, single and double quotes with their HTML entity equivalents.
> The entities keyword performs the same escaping except it will not escape
> an ampersand which is part of a well formed entity, allowing HTML/XML
> entities to be inserted. This can cause problems if the text contains
> unanticipated entities (eg. text submitted via a web form), which is the
> reason that it is not the default. However it will not result in badly
> formed HTML/XML.

Sounds okay...

> The structure keyword passes the replacement text through unchanged,
> allowing HTML/XML markup to be inserted. This can break your page if the
> text contains unanticipated markup (eg. text submitted via a web form),
> which is the reason that it is not the default.
> 
> So yes, it's a bit more confusing but the great thing about TAL is that
> (except for structures) you don't have to ever worry about escaping things.
> It would be nice if we could make the entities mode as worry free.

Cant't really comment, other than what I've already said, the 'partial quoting' 
thing seems confusing to me...

cheers,

Chris




More information about the ZPT mailing list