[albatross-users] Should escaping also escape "+"?
Gregory Bond
gnb at itga.com.au
Tue Dec 2 16:48:56 EST 2003
Consider this:
import albatross
ctx = albatross.SimpleContext('.')
ctx.locals.val = 'a+b'
albatross.Template(ctx, '<magic>', '''
<al-a expr="'?file=%s' % val">Test</al-a>
''').to_html(ctx)
ctx.flush_content()
This returns
<a href="?val=a+b">Test</a>
But (in the context of a larger application), when the link is clicked on,
ctx.locals.file gets set to "a b".
(The real code is a form with many filenames and a "process" link next to each
to process the named file.)
Should the HTML escaping also escape + characters? And "?" characters? Or am
I asking Albatross to protect me from myself (or more accurately from idiot
users who put "+" signs in filenames) and I should check for this myself?
More information about the Albatross-users
mailing list