Atm:
- TemplateFactoryEngineTypes associates EncoderHtml instance with
TemplateFactory ENGINEHTML and ENGINEXHTML
- TemplateFactory ENGINEHTML is used with all html files, even if
xhtml dtd is specified inside the file.
No, it's used when you do getHtmlTemplate from within your element.
Using getXhtmlTemplate gives you an ENGINEXHTML type. What do you
mean with the dtd?
- AbstractTemplate.evaluateL10nTags uses
EncoderHtml.encodeDefensive and not EncoderHtml.encodeDefensive to
convert string,
that is StringUtils.encodeHtmlDefensive
- this last method doesn't convert "<", "&", ">", "'" and """
So, for html files with xhtml dtd and for xhtml files, we can have
trouble when any of the above characters is present in a key's
value, e.g. double quote used in an attribute's value: then the end
of the value is not displayed.
I'm not fully following, can you give an example?
Is there any reason against to used EncoderHtml.encodeDefensive in
all the cases.
Yes, if you want to make sure that no html tags or entities can be
provided at all through form fields.
--
Geert Bevin Uwyn bvba
"Use what you need" Avenue de Scailmont 34
http://www.uwyn.com 7170 Manage, Belgium
gbevin[remove] at uwyn dot com Tel +32 64 84 80 03
PGP Fingerprint : 4E21 6399 CD9E A384 6619 719A C8F4 D40D 309F D6A9
Public PGP key : available at servers pgp.mit.edu, wwwkeys.pgp.net
_______________________________________________
Rife-users mailing list
[email protected]
http://www.uwyn.com/mailman/listinfo/rife-users
