var s = '$jquote($s)'
Leaving it up to the developer to ensure every potentially unsafe python string is quoted properly always makes me nervous. Nevow has enough information to automatically safely quote strings inserted in html, html attribute, and URL contexts, but isn't currently smart enough to know much about javascript and javascript string quoting contexts. livepage will try to quote things properly for you if you are using livepage.handler (which uses jquote as shown above) but it's pretty easy to fool, because nevow doesn't yet know enough about JavaScript to really be safe. I hope to add some additional intelligence soon to cover this, and perhaps also to cover CSS contexts.
This is why I strongly prefer keeping explicit quotes out of the substitution, i.e., "var s = $repr(str(s))" (or jquote or whatever), because it's less likely to lead to errors. If you do "var s = $s" it'll just break (syntactically invalid). But if you do "var s = '$s'" it'll work most of the time.
This is how the DB-API (and database quoting generally) works. And not how PHP quoting is usually done, and we know how that ends up ;)
-- Ian Bicking / [EMAIL PROTECTED] / http://blog.ianbicking.org _______________________________________________ Web-SIG mailing list [email protected] Web SIG: http://www.python.org/sigs/web-sig Unsubscribe: http://mail.python.org/mailman/options/web-sig/archive%40mail-archive.com
