The development version of WebHelpers has incorporated MarkupSafe. I just need some people to test it with their apps and see if any compatibility issues come up. Here's the docs:
""" WebHelpers 1.2 [unreleased] uses MarkupSafe, a package which provides an enhanced implementation of this protocol. Mako and Pylons have also switched to MarkupSafe. Its advantages are a C speedup for escaping, escaping single-quotes for security, and adding new methods to literal. literal is now a subclass of markupsafe.Markup. escape is markupsafe.escape_silent. (The latter does not exist yet in MarkupSafe 0.9.3, but WebHelpers itself converts None to “” in the meantime). Single-quote escaping affects HTML attributes that are written like this: alt=’Some text.’ rather than the normal alt=”Some text.” If the text is a replaceable parameter whose value contains a single quote, the browser would think the value ends earlier than it does, thus enabling a potential cross-site scripting (XSS) attack. WebHelpers 1.0 and earlier escaped double quotes but not single quotes. MarkupSafe escapes both double and single quotes, preventing this sort of attack. MarkupSafe has some slight differences which should not cause compatibility issues but may in the following edge cases. (A) The force argument to escape() is gone. We doubt it was ever used. (B) The default encoding of literal() is “ascii” instead of “utf-8”. (C) Double quotes are escaped as “"” instead of “"”. Single quotes are escaped as “'”. """ -- Mike Orr <[email protected]> -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
