Seems like attributes should be escaped when using the Image.tag
feature:
SET alt_tag = 'A "real" <alt> tag';
Image.tag( alt = alt_tag, title = alt_tag );
Here's a patch against cvs. Do you want a patch for Changes, too?
Index: lib/Template/Plugin/Image.pm
===================================================================
RCS file: /template-toolkit/Template2/lib/Template/Plugin/Image.pm,v
retrieving revision 1.14
diff -u -B -r1.14 Image.pm
--- lib/Template/Plugin/Image.pm 2004/01/30 19:33:17 1.14
+++ lib/Template/Plugin/Image.pm 2005/11/29 07:01:23
@@ -163,7 +163,8 @@
if (%$options) {
while (my ($key, $val) = each %$options) {
- $tag .= " $key=\"$val\"";
+ my $escaped = escape( $val );
+ $tag .= qq[ $key="$escaped"];
}
}
@@ -169,8 +170,22 @@
$tag .= ' />';
+
return $tag;
}
+
+sub escape {
+ my ($text) = @_;
+ for ($text) {
+ s/&/&/g;
+ s/</</g;
+ s/>/>/g;
+ s/"/"/g;
+ }
+ $text;
+}
+
+
BTW, does cvs build? I had a number of errors in make test.
Grammer.pm has comments in a qw(). gd.t and fileline.t failed.
--
Bill Moseley
[EMAIL PROTECTED]
_______________________________________________
templates mailing list
[email protected]
http://lists.template-toolkit.org/mailman/listinfo/templates
