Ok thanks for the explanation, I didn't realize this piece of code was used for attribute replacement too.
> Test checked in by the way. Thanks a lot. However it doesn't test the case you describe below, does it? > > > (And if it's a fix it should be in HEAD too.) > > Why? Well, because otherwise 2.7 won't have the fix :-) Florent On Mon, 2002-12-23 at 18:29, Andy McKay wrote: > > But why? Why escape double quotes when it's not a reserved character? > > I really don't understand the need, and the example in the collector > > doesn't convince me. What is the problem? > > The problem occurs where you want include the value of a variable inside an > attribute. > > For example: > > <input type="string" tal:attributes="value someValue"> > > By default Page Templates replaces the escaped value in the form, unless > "structure" is specified. If someValue contained a " (eg: test with a " > quote) then you would get the following invalid html (this is what you > currently get): > > <input type="string" value="test with a " quote"> > > This of course should be (and what the patch changes it to): > > <input type="string" value="test with a " quote"> > > If you do not escape double quotes in the Page Template html quoting > function, you will never be able to easily use Page Templates unless you are > sure that someValue does not have double quotes escaped. This would mean > having to import an escaping function into your page templates or adding an > extra layer of python involved for almost every use of a variable. > > Otherwise you would be living on the edge as you would never be quite sure > if yout HTML is properly escaped. For example this occurs in almost all of > the CMF skin. Note that in good old DTML if you use html_quote, you're > escaping " by default (lib\python\DocumentTemplate\html_quote.py). > > If we are escaping <> and &, I see no reason not to escape " as well. > > And I believe the Zope Book Appendix C needs updating to reflect this. > > Test checked in by the way. > -- > Andy McKay -- Florent Guillaume, Nuxeo (Paris, France) +33 1 40 33 79 87 http://nuxeo.com mailto:[EMAIL PROTECTED] _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
