Opened 18 years ago
Closed 18 years ago
#9 closed defect (fixed)
default behavior for escaping quotes
| Reported by: | mgood | Owned by: | cmlenz |
|---|---|---|---|
| Priority: | major | Milestone: | 0.1 |
| Component: | General | Version: | |
| Keywords: | Cc: |
Description
Markup.escape escapes " to " by default, though this behavior is only necessary for attribute values. The methods for joining and interpolating with Markup objects were all using the default behavior until I switched Markup.join in r35 since it was breaking JavaScript? code which used quotes. I've left the other methods, but it seems like they should be consistent:
>>> print Element('br') + '"hello"'
<br/>"hello"
>>> print Markup('<br/>') + '"hello"'
<br/>"hello"
I guess this was safer in Trac where Markup may have been used like:
Markup('<a href="%s">%s</a>', href.wiki(), 'Wiki')
Thoughts?
Change History (3)
comment:1 Changed 18 years ago by cmlenz
comment:2 Changed 18 years ago by cmlenz
- Status changed from new to assigned
Okay, it looks like the actual issue here is that the WhitespaceFilter uses Markup.join() to join together separate text nodes. At this stage it actually is clear that the content isn't going to end up in an attribute value, so we can just add a parameter to disable the quote-escaping on the join() method.
comment:3 Changed 18 years ago by cmlenz
- Resolution set to fixed
- Status changed from assigned to closed
Should be fixed in [58].
I think a Markup instance should not make assumptions about whether it's going to be used inside or outside of an attribute value. For that reason it needs to use the “safest” kind of quoting, which incudes escaping quotes.
Can you explain in more detail what kind of scenario was causing the problem for you? I.e. why are you using Markup to construct a <script> element?