Re: AW: [dbforms] escape chars...

Mon, 05 Apr 2004 07:27:17 -0700 

On Mon, 05 Apr 2004 15:04:07 +0200
Sergio Moretti <[EMAIL PROTECTED]> wrote:

SM> Ivan F. Martinez wrote:
SM> 
SM> > On Mon, 5 Apr 2004 11:37:14 +0200
SM> > "Henner Kollmann" <[EMAIL PROTECTED]> wrote:
SM> > 
SM> > HK> > 
SM> > HK> > If I have a field in database with something like :
SM> > HK> > 
SM> > HK> > text1 " text2
SM> > HK> > 
SM> > HK> > and use a textField (or any other field) the value show in
SM> > HK> > the field becomes incomplete(only 'text1') , because the 
SM> > HK> > browser recognize " as end of value attribute.
SM> > HK> 
SM> > HK> This is a real problem...
SM> > HK> 
SM> > HK> > 
SM> > HK> > Also I can't edit correctly fields with html codings,
SM> > HK> > 
SM> > HK> > &ccedil; becomes ç in editfield in this case '&' must be
SM> > HK> > encoded to &amp; to make possible to edit text as &ccedil;
SM> > HK> > 
SM> > HK> But you can enter &ccedil; into the editfield and this will be
SM> > HK> stored as &ccedil; So that the overall result should be
SM> > HK> correct.
SM> > HK> 
SM> > 
SM> > Let's think from the start.
SM> > In current code if you write &ccedil; it will be written to
SM> > database field as &ccedil; but when you go to edit this field the
SM> > entry field will show 'ç' wich is visually the same, but not
SM> > correctly because the real value in database is '&ccedil;'.
SM> > 
SM> > The escape make correctly the edit part of the system, but must be
SM> > optional to the developer in the labels, where the developer can
SM> > select to escape or not depending of the data.
SM> > 
SM> > We can create an attribute in DbBaseHandlertag to control this
SM> > selection, the default must be to escape this make transparent for
SM> > applications the conversions, and only when the developer really
SM> > know that the value in field is HTML he can show the data without
SM> > escaping.
SM> > 
SM> > 
SM> I think that the problem comes when dbform has to fill a value
SM> attribute (for an input tag), as in this case only there is the
SM> needs to escape chars " and &. For example a textarea doesn't have
SM> this problem, since it's like <textarea>" & are ok here</texarea>.

In this case you must escape the < character, if you are editing an HTML
part maybe this part has </textarea> and this will cut your data.

Escaping in all places are safe, and only not espace if developer know
the data and knows the place where the value will be rendered.


-- 


Ivan F. Martinez


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
DbForms Mailing List

http://www.wap-force.net/dbforms

Reply via email to