The problem occurs where you want include the value of a variable inside an

For example:

<input type="string" tal:attributes="value someValue">

By default Page Templates replaces the escaped value in the form, unless
"structure" is specified. If someValue contained a " (eg: test with a "
quote) then you would get the following invalid html (this is what you
currently get):

<input type="string" value="test with a " quote">

This of course should be (and what the patch changes it to):

<input type="string" value="test with a &quot; quote">

If you do not escape double quotes in the Page Template html quoting
function, you will never be able to easily use Page Templates unless you are
sure that someValue does not have double quotes escaped. This would mean
having to import an escaping function into your page templates or adding an
extra layer of python involved for almost every use of a variable.
I think page templates should escape quotes in tal:attributes, but not under other circumstances.

Also, I believe that an alternative in the example you give would be to use single quotes. This is consistent with how quoteattr works:

>>> from xml.sax.saxutils import quoteattr
>>> print quoteattr('foo" bar')
'foo" bar'
>>> print quoteattr("""foo' bar""")
"foo' bar"
>>> print quoteattr("""foo'" bar""")
"foo'&quot; bar"

quoteattr only resorts to using &quot; when there is no alternative -- that is, when the string being quoted contains both a single quote and a double quote.

So, perhaps an alternative fix would be to revert the current fix, and instead make tal:attributes use quoteattr.

Steve Alexander

Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists - )

Reply via email to