[albatross-users] Should escaping also escape "+"?
Michael C. Neel
neel at mediapulse.com
Wed Dec 3 02:02:27 EST 2003
In looking at the code, it seems albatross does it's own escaping:
def escape(text):
text = str(text)
text = text.replace('&', '&')
text = text.replace('<', '<')
text = text.replace('>', '>',)
text = text.replace('"', '"')
text = text.replace("'", ''')
return text
Is there a reason not to use urllib.quote or urllib.quote_plus? Or
maybe urllib wasn't around at the time and this is just some legacy
stuff?
>>> import urllib
>>> urllib.quote_plus('a+b')
'a%2Bb'
>>> urllib.quote_plus('?a+b')
'%3Fa%2Bb'
>>> urllib.quote_plus('?<>&"\'a+b')
'%3F%3C%3E%26%22%27a%2Bb'
(btw, if you are naming files like the last, there is a special place in
/dev/null reserved for you!)
Mike
> -----Original Message-----
> From: Gregory Bond [mailto:gnb at itga.com.au]
> Sent: Tuesday, December 02, 2003 12:49 AM
> To: albatross-users
> Subject: [albatross-users] Should escaping also escape "+"?
>
>
> Consider this:
>
> import albatross
> ctx = albatross.SimpleContext('.')
> ctx.locals.val = 'a+b'
> albatross.Template(ctx, '<magic>', '''
> <al-a expr="'?file=%s' % val">Test</al-a>
> ''').to_html(ctx)
> ctx.flush_content()
>
> This returns
> <a href="?val=a+b">Test</a>
> But (in the context of a larger application), when the link
> is clicked on,
> ctx.locals.file gets set to "a b".
>
> (The real code is a form with many filenames and a "process"
> link next to each
> to process the named file.)
>
> Should the HTML escaping also escape + characters? And "?"
> characters? Or am
> I asking Albatross to protect me from myself (or more
> accurately from idiot
> users who put "+" signs in filenames) and I should check for
> this myself?
>
>
> _______________________________________________
> Albatross-users mailing list
> Albatross-users at object-craft.com.au
> https://www.object-craft.com.au/cgi-bin/mailman/listinfo/albat
ross-users
More information about the Albatross-users
mailing list