I've been thinking a good bit about how characters are escaped (now that I've studied it more extensively)... And I have some thoughts on the subject.
Currently (in my pre-release version) when page content is saved, several escapes are made for various reasons: some technical, some BoltWire specific, some general security. We've just added & to that list for better xhtml validation. When data values are saved, none of these escapes are made--but the actual input is saved to the page. Now, when I retrieve page content, were good to go. Just output what you have and everything is fine. Markup rules are all tweaked to look for that escaped content. When data values are prepared I simply escape the values at the time they are read and output those escaped values. Same effect, but if you look at the actual source code, you see the difference immediately. There are pro's and con's to both approaches, but my thinking is at minimum, both should work the same way. As for escaping content when saved (which is necessary for a couple escapes), the main advantage is security. Someone could enter some html, javascript, or php on a page and if somehow that page could get called in a browser (wrong .htaccess) or imported directly (via a poorly designed plugin) you could have major issues. This applies primarily to the < escape. Second it seems faster. Translate once and you are done. No need to retranslate it every time you view that page. Third advantage, it is what we have now. Some of those escapes are built up to solve bug problems from the distant past, that **might** possibly resurface if we moved them. I don't know. On the other hand I like the approach of escaping it when it is displayed. The code seems simpler. The markup rules get simpler. And perhaps most important, the source pages are significantly easier to read. Which means it is also easier to manually import text right into your wiki, or to use an external editor. This was one of my original goals in designing BoltWire's page format--drag and drop of text pages into your pages folder--but that has gotten trickier with every new escape. However changing this would also cause problems with existing pages that have escaped content--that would now have to be unescaped... Essentially we would have to run a fixer script to upgrade our pages. Just thinking out loud. Looking at the two, I guess the best option is to stick with the status quo of escaping page content (and data values) at the time a page is saved. If anyone differs on the conclusion, wants to argue for the other I'm open, because I really like the idea. Maybe it's something we can consider for a future release... Cheers, Dan P.S. I'm thinking about bundling in an advanced fixer script with special BoltWire hooks to allow you to do upgrades to your site fairly easily. You change some settings on some page (code.fixer), click a button, and the fixer script gets triggered using your settings. This could be used to move or rename multiple files, and or change markups in multiple files. I like the thought of having tools for easy upgrades when we find better ways of doing things. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "BoltWire" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/boltwire?hl=en -~----------~----~----~----~------~----~------~--~---
