On 12-01-2010 at 13:25:45 <the...@spiffyjr.me> wrote:
Does Dojo expect to get HTML/XML markup as input, or unescaped script?
If the latter, you might get nasty surprise when you use '&' or '<'.
I see what you mean here. I think I'll try to come up with some way to
alter the scripts. Perhaps using macros to insert the the script code
where necessary? I haven't looked at them much but they sound promising.
Macros just call PHPTAL code, so you'll get more of the same escaping :)
I've checked source code of this dojo view, and it's quite ignorant about
escaping, as I expected. It doesn't try to escape the content, just hopes
to receive something compatible with whatever can be put in <script> (in
HTML) or CDATA (if xhtml mode is enabled).
With these assumptions if you used </ or ]]> in your source code, it could
break the page. If you used XML without CDATA to capture, the script could
fail, etc. (regardless whether you use PHPTAL or not).
I think your options are:
1. Use capturing, but stay away from characters that have different
meaning in XML/HTML/CDATA/plaintext: < > &
2. Use $dojo->addOnLoad() in PHP code. Give it code escaped appropriately
for template markup you generate (best bet is to use HTML5 output mode and
only escape </ as <\/)
3. Try <script tal:omit-tag="">/*<![CDATA[*/ instead of <tal:block>.
Script element in PHPTAL triggers special-case workaround for text/html,
which is closer to what Dojo expects.
PHPTAL mailing list