Escaping in templates
bbaetz at acm.org
Tue Feb 3 09:11:42 UTC 2004
On Mon, Feb 02, 2004 at 10:13:58PM +0000, Gervase Markham wrote:
> Do you url_quote anything which is part of a URL, and html anything
> else? Or is it not that simple? Do you ever need both?
TT somes with a 'uri' filter. That filters characters which aren't valid
in a URI. The issue is that & is valid in a uri, so its not filtered,
but we do need to filter it - both in html, and alao if its a component
of the URL, not the separator.
The other reason TT doesn't do that is that we may have part of a url.
If I have a product called 'foo&bar' (which I strongly recommend you all
do on your dev instances :) ), then if I'm constructing
'&product=foo&bar', I want the second & to be a %xx bit, but not the
- uri | html quote a URL which already has a individual bits quoted.
- uri_quote _part_ of a URL
- If you're not producing HTML, don't HTML quote it.
You can't filter an entire URI from scratch, because its ambiguous - see
my example above.
Technically its also uri_quote | html, but uri_quote doesn't leave any
characters that need html escaping - its all built in.
More information about the developers