On 20 June 2002, Quinn Dunkan said:
> I know how close HTML quoting is to some people's hearts around here :) so I
> thought I'd try to clear up a few questions I have about the issue...

I don't know that it's close to my heart -- it just *scares* me.  Every
time I read about yet another CSS vulnerability, I stop and think: how
would *I* avoid that?  Would Quixote help, hinder, or be neutral?

> First, am I correct that value_quote(s) is redundant since
> '"' + html_quote(s) + '"' is just as good?

That's my understanding.  The docstring says "of marginal utility".

> Secondly, is
> link_url = html_quote(url_quote(url)) correct usage (assuming 'url' doesn't
> include a query string)?

Beats me.  From reading the code, it sounds like that *is* the right
thing to do, which sort of sucks.  There ought to be a sweet and simple
way to encode an arbitrary string for use in a URL that's used as an
HTML attribute value.

> So my current resolution is "quote manually and just be careful".  Maybe
> a short set of guidelines of what to quote would be a good thing.

I think that's the best you can do.  Only *you* know where the strings
that you're putting in HTML text originate.

Here's a beginning of a guideline:

  If a string originated anywhere other than as a hard-coded constant
  in your source code, QUOTE IT!

Unfortunately, I don't understand all the subtleties lying behind that
simple statement.

        Greg
--
Greg Ward - software developer                gward@mems-exchange.org
MEMS Exchange                            http://www.mems-exchange.org