durusmail: quixote-users: htmltext in PTL
htmltext in PTL
2004-12-10
Mike Orr
2004-12-10
Neil Schemenauer
2004-12-10
Mike Orr
2004-12-10
Jason Sibre
2004-12-11
Mike Orr
2004-12-11
David Binger
htmltext in PTL
Jason Sibre
2004-12-10
Quoting Mike Orr :
>
> By the way, the one annoyance I've found with PTL is, would it please stop
> encoding the other operands in a "+" expression?  Nine times out of ten
> when I do:
>      string1 + htmltextString
> string1 is preformatted HTML and I want it left as is.   In my output
> filter I had to do:
>     output = top + htmltext(output) + bottom
> or
>     output = str(top) + str(output) + str(bottom)
>
> to make it behave.  ('top' and 'bottom' are htmltext from a PTL;
> 'output' is whatever the page callable returned.)
>

Mike,
I'm not positive I understand your complaint, but if I do, I think you must have
either found a bug in the version of Quixote you're using, or ...  maybe you
don't 'get' the idea behind htmltext ...?

The fact that htmltext automatically converts any string it's combined with
(whether via "+" or string formating/substitution) is the whole purpose of
htmltext's existence.  It provides a safety net that ensures (provided you
don't deliberately undermine it) no data is sent to the browser without being
properly escaped, whether that data came from literal strings in the source
code, or was read from a database, etc.  This helps defend against cross-site
scripting and other similar ills, with little or no developer effort.

Re: your example of:

>     In my output
> filter I had to do:
>     output = top + htmltext(output) + bottom
> or
>     output = str(top) + str(output) + str(bottom)
>
> to make it behave.  ('top' and 'bottom' are htmltext from a PTL;
> 'output' is whatever the page callable returned.)

I'm assuming the problem here is that when you do:
     output = top + output + bottom
the contents of output get escaped, and you end up with stuff like
"""
....
    <table>
        <tr>
            <td>some text</td>
        </tr>
    </table>
....
"""
getting sent to the browser.

I think this means you have either already escaped the contents of 'output' (or
you haven't escapedit, but you're assuming or you know it doesn't need to be
escaped), but left it as a string (why didn't you just use htmlescape() to
escape it, which returns an htmltext instance, or wrap it with htmltext() if
you know it doesn't need to be escaped?), or you've found a bug in which for
some reason the htmltext instance top (or bottom) is incorrectly doing an
htmlescape on an htmltext instance (output).

I -can- see some situations where the current behavior might cause problems.
For example, reading templates from text files: no escaping needed, but if you
don't remember to wrap with htmltext(), it'll eventually get escaped if it's
ever combined with htmltext, causing a mess like my example above.  But, that's
easily dealt with: Convert it to htmltext with the htmltext() call.  I can see
how it might be annoying, though.

I hope I haven't completely missed the point of your message.

Jason
reply