durusmail: quixote-users: Documenting the HTML template feature of PTL
Documenting the HTML template feature of PTL
2002-12-30
Neil Schemenauer
2003-01-05
Titus Brown
2003-01-05
Neil Schemenauer
2003-01-05
Tom Jenkins
Documenting the HTML template feature of PTL
Titus Brown
2003-01-05
-> Here's a first crack at documentation for the new HTML template type
-> that will be available in the next Quixote release.  I've left out that
-> part that explains the new, prefered plain text template syntax. E.g.:
->
->     def foo [plain] (request):
->         'Hello, this is a plain text template named foo.'
->
-> I would like to get a new Quixote release out and documentation is the
-> major piece missing.

[ munch ]

I understood this completely -- and think it's very clean, and quite
nice -- except for this one bit:

-> It is also recommended that the ``htmltext`` constructor be used as
-> sparingly as possible.  The reason is that when using the htmltext
-> feature of PTL, explict calls to `htmltext`` become the most likely
-> source of cross-site scripting holes.  Calling ``htmltext`` is like
-> saying "I am absolutely sure this piece of data cannot contain malicious
-> HTML code injected by a user.  Don't escape HTML special characters
-> because I want them."

I had to play around a bit with the code to understand this.  I think
you're saying that strings are automatically htmlescape()d unless explictly
run through the 'htmltext' function, yes?  Perhaps adding a line such as:

"Again, in template functions of type 'html', everything is automatically
escaped unless the string literal is explicitly passed through 'htmltext'
in your code.  It is recommended that this be used as sparingly as..."

My 2c...

--titus
reply