[ZPT] Re: [Zope] prevent quoting in tal:attributes

fergal at esatclear.ie fergal at esatclear.ie
Wed Oct 15 08:28:19 EDT 2003


Maybe 3 options is what's required: default quote everything mode,
structure mode (which lets you hang yourself as high as you like) and
entities mode which just lets you pass entities but will not break anything.

So you can do this (I'm using a web mailer which might mess this up, let me
know if it does)

dontdothis='hello &copy;"/>wibble<tag bing="crosby';

<tag tal:attributes="attr structure dontdothis"/>

which will become

<tag attr="hello &copy;"/>wibble<tag bing="crosby"/>

or this

piccopy='&copy; Fergal Daly <fergal at esatclear.ie>';

<img src="pic.png" tal:attributes="alt entities piccopy"/>

which will become

<img src="pic.png" alt="&copy; Fergal Daly @lt;fergal at esatclear.ie&gt;">

But honestly, if you have "entities", I can't think of any legitimate uses
for "structure". If you do use it you have to either be very careful about
what values you allow into it or you have to roll your own quoting
mechanism  which will probably be exactly the same as "entities".

Can you think of an an example where structure can do something sensible
but entities can't do it?

On URL vs HTML encoding, when would you need to URL encode something in an
attribute? I know you might want to URL encode part of an attribute, for
instance if you are passing a URL to a redirect script but I can't think of
any examples when you want to encode an entire attribute.

I would argue that the whole issue of quoting is confusing. Partial quoting
moves the confusion into the TAL docs and protects users. Allowing totally
unquoted attrs just moves the confusion from TAL into the application. The
people confused by partial quoting are the same people who won't even see
the dangers of totally unquoted mode until it bites them in the app
(possibly as a big security hole). People being confused is preferable to
people _thinking_ they understand when they don't,

F


--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .





More information about the ZPT mailing list