On 11.7.2009, at 19.49, MK wrote:
> Unfortunately, |h *does not* escape the single quote! This is a
> significant problem:
Let me calm your mind a bit by mentioning that the single quote is,
out of the five, the least significant. The single quote, like the
double quote, does not need to be escaped *except* in tag attributes,
and only if it collides with the tag delimiters. It wasn't really
added to the reserved characters list before XHTML (and didn't have
its own named character entity, ').
Let's take this by example:
<a href="#" title="this's odd">link</a> <!-- this is perfectly valid --
<a href="#" title='this is odd'>link</a> -- so is this --
<a href="#" title='this's odd'>link</a> -- invalid --
<a href="#" title='this's odd'>link</a> -- valid (xml, xhtml) --
<a href="#" title='this's odd'>link</a> -- valid (xml, xhtml,
html) --
<a href="#" title='she said "no"'>link</a> -- valid --
<a href="#" title="she said "no"">link</a> -- valid --
<a href="#" title="she said "no"">link</a> -- invalid -->
So, you will be safe as long as you use double quotes for attributes.
> But, using Ajax.Updater, strings brought back from the db cause a
> problem here:
>
> parameters: { name: '<%$data[1]%>'....
Now, we are in javascript's domain. The basic rules are the same, but
different. Do continue using |h, but add an escaper of your own. I
think (I don't know javascript) you need to escape the apostrophe with
a backslash, and the backslash with a backslash [1]. Something like
this could do:
s/\\/\\\\/g; s/'/\\'/g; # (backslashes always end up looking naughty)
What you should do is to define an escape function of your own, and
bind it to 'j' (for "javascript") or some other character. Then you
can do the following:
<% $data[1] | h, j %> (I'm unsure if the order makes a difference)
http://www.masonhq.com/docs/manual/Devel.html#escaping_expressions
[1] You should consult a javascript resource (or prototype's
documentation) and see what kind of format the strings are supposed to
be in, and what kind of escaping is needed.
> because $data[1] can contain a single quote. So I had to write a
> simple little function:
>
> sub esc_squote {
> my $ref = shift;
> $$ref =~ s/'/'/;
> }
This wouldn't work. It may look like it worked from a superficial
inspection of the generated html, but it results in a syntax error in
the javascript. Example follows.
$data[1] = "it's this";
name: '<% esc_squote($data[1]) %>'
Results in:
name: 'it's this'
Which will be parsed by the browser's html parser to this:
name: 'it's this'
...which will get fed to the javascript engine (syntax error, security
issue, etc)
> So I am going to have to say something in the tutorial like "While
> Mason provides |h, I don't use it here because we must also escape the
> single quote.
While all this probably feels confusing, remember that you are
essentially dealing with a mark-up language with embedded scripts.
Both the mark-up language and the scripts need their own form of
escaping data for safety. I repeat: You should continue to use |h.
> Although in fact I will probably mix the
> two, using |h where possible because it is easier.
Please mix |h and your custom escape function :-)
------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge
This is your chance to win up to $100,000 in prizes! For a limited time,
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize
details at: http://p.sf.net/sfu/Challenge
_______________________________________________
Mason-users mailing list
Mason-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mason-users
