I think some related problems get mixed up here.
Let me try to summarize the problems as I understand them.
First we should remember that not only the < char is affected, but also
the & char used in both Python and Javascript for bitwise "and". The >
char is unproblematic, however.
The problem of Javascript (ticket #99):
You cannot embed Javascript like
for (var i=0; i<10; ++i)
without change in a Kid template because of the < char.
If you escape the < char, the Javascript will not run.
This is because the input is required to be xml, even if you want to
serialize as html.
Additional problem: Even if you put the Javascript in a CDATA block, it
is automatically escaped and the Javascript will not run either.
In a comment to ticket #99, somebody claimed that the Javascript comes
out ok if you serialize as html, but this does not seem to be true.
The problem of Python:
Python outside <?python > *must* be escaped while for Python *inside*
<?python >, it is just the opposite, Python inside <?python > *may not*
be escaped.
I agree with Ryan that we cannot do much here as long as we want to keep
input (template source) well-formed and that there are good reasons to
do this.
But I think something we can do is point these issues out more clearly
in the FAQ and user guide.
And the output serializers can be improved:
For instance, if a script contains "<" or "&" chars, the serializer
could automatically place it in a CDATA block for xhtml, or output
literally for html.
According to the html 4.01 standard, it is ok to put "<" in script data
(you may just not put "</" there) and script data that is element
content may not even contain character references.
Here are some pages about the issue:
http://www.codehouse.com/javascript/tips/xhtml/
http://javascript.about.com/library/blxhtml.htm
http://www.mit.edu/~ddcc/xhtmlref/text.html
I would like to contribute a patch but have very little time currently.
Maybe somebody else can jump in.
-- Christoph
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
kid-template-discuss mailing list
kid-template-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/kid-template-discuss
