On 12-01-2010 at 13:25:45 <the...@spiffyjr.me> wrote:

Does Dojo expect to get HTML/XML markup as input, or unescaped script?

If the latter, you might get nasty surprise when you use '&' or '<'.

I see what you mean here. I think I'll try to come up with some way to
alter the scripts. Perhaps using macros to insert the the script code where necessary? I haven't looked at them much but they sound promising.

Macros just call PHPTAL code, so you'll get more of the same escaping :)

I've checked source code of this dojo view, and it's quite ignorant about escaping, as I expected. It doesn't try to escape the content, just hopes to receive something compatible with whatever can be put in <script> (in HTML) or CDATA (if xhtml mode is enabled).

With these assumptions if you used </ or ]]> in your source code, it could break the page. If you used XML without CDATA to capture, the script could fail, etc. (regardless whether you use PHPTAL or not).

I think your options are:

1. Use capturing, but stay away from characters that have different meaning in XML/HTML/CDATA/plaintext: < > &

2. Use $dojo->addOnLoad() in PHP code. Give it code escaped appropriately for template markup you generate (best bet is to use HTML5 output mode and only escape </ as <\/)

3. Try <script tal:omit-tag="">/*<![CDATA[*/ instead of <tal:block>. Script element in PHPTAL triggers special-case workaround for text/html, which is closer to what Dojo expects.

regards, Kornel

PHPTAL mailing list

Reply via email to