Escaping in templates

Bradley Baetz bbaetz at
Tue Feb 3 09:11:42 UTC 2004

On Mon, Feb 02, 2004 at 10:13:58PM +0000, Gervase Markham wrote:
> Do you url_quote anything which is part of a URL, and html anything 
> else? Or is it not that simple? Do you ever need both?

TT somes with a 'uri' filter. That filters characters which aren't valid 
in a URI. The issue is that & is valid in a uri, so its not filtered, 
but we do need to filter it - both in html, and alao if its a component 
of the URL, not the separator.

The other reason TT doesn't do that is that we may have part of a url. 
If I have a product called 'foo&bar' (which I strongly recommend you all 
do on your dev instances :) ), then if I'm constructing 
'&product=foo&bar', I want the second & to be a %xx bit, but not the 

So bascially:

- uri | html quote a URL which already has a individual bits quoted.
- uri_quote _part_ of a URL
- If you're not producing HTML, don't HTML quote it.

You can't filter an entire URI from scratch, because its ambiguous - see 
my example above.

Technically its also uri_quote | html, but uri_quote doesn't leave any 
characters that need html escaping - its all built in.


More information about the developers mailing list