durusmail: quixote-users: Docstring for html.py
Docstring for html.py
2002-05-22
Patrick K. O'Brien
2002-05-22
Andrew Kuchling
2002-05-22
Patrick K. O'Brien
2002-05-22
Patrick K. O'Brien
2002-05-22
Neil Schemenauer
2002-05-22
Patrick K. O'Brien
2002-05-22
Neil Schemenauer
2002-05-23
Neil Schemenauer
Docstring for html.py
Neil Schemenauer
2002-05-22
On Wed, May 22, 2002 at 05:11:40PM -0400, Andrew Kuchling wrote:
> >In addition, I find the entire Note
> >incomprehensible. Is it just me? :-(
> It *is* confusing, because there are two levels of quoting going on
> here: URL and HTML.

There's more levels than that actually.  The quoting necessary for an
attribute value is different again.  Got embedded javascript code?  More
quoting contexts.  It's a gigantic mess.  The whole thing is so badly
designed it's amazing.  Is it any wonder that there are XSS problems?

The note is still confusing though and could be written more clearly.

> For example, let's say you have a URL with 'action' and 'section'
> parameters, and you want the section to be the string 'R&D'.  You'd
> have to write 'action=search§ion=%s' % html.url_quote('R&D').
> This results in the string 'action=search§ion=R%26D'.  But if
> you're putting the URL into an HTML page, it needs to be quoted for
> HTML properly with html_quote(), and you get the final HTML text
> 'action=search&keyword=R%26D'.

Don't forget that if you want to use that URL as a CDATA attribute value
you need to use different quoting again.  Hmm, perhaps we should turn
html_quote into a bigger hammer and deprecate value_quote.  html_quote
could replace single and double quote characters with "'" and
"&34;".

  Neil
reply