[albatross-users] "noescape" tag attribute

Andrew McNamara andrewm at object-craft.com.au
Wed Apr 6 11:13:46 EST 2011 

While reviewing the "Tag Reference" section of the manual, I've noticed a
bit of an inconsistency. The "noescape" attribute is documented as only
having the following effects:

 * for <al-input>, noescape turns off the escaping of the evaluated value=
   attribute.

 * for <al-select>, noescape turns off the escaping of the generated
   <option> values.

 * for <al-textarea>, noescape turns off the escaping of the evaluated
   content that is generated for the tag.

 * for <al-img>, noescape turns off the escaping of the src="" attribute.

 * for <al-value>, noescape turns off the escaping of the replacement
   content.

Unfortunately, as other evaluated attributes have added, the "noescape"
logic has been extended to them as well, and "noescape" is all or
nothing. I'm worried that this is too much rope - someone will have
a nasty accident and pass unescaped content though, not realising it
applies to other tag attributes than those documented. Even if we fix
the documentation, it's too broad in scope to be used safely.

My feeling is that there is never a case for *not* escaping attributes,
and escaping of attributes should be made unconditional. My proposal is
to restrict the use and application of "noescape" to:

 * <al-value> content
 * <al-select> optionexpr-generated <option> body
 * <al-textarea> content body

The use of the attribute on other tags would become an error.

BTW, the escape function is:

    def escape(text):
        text = str(text)
        text = text.replace('&', '&')
        text = text.replace('<', '<')
        text = text.replace('>', '>')
        text = text.replace('"', '"')
        text = text.replace("'", ''')
        return text

BTW2, This single function tops the list when template rendering is
profiled - a more efficient replacement could make template rendering up
to 20% faster (although this is insignificant in most applications). If
anyone is aware of a more efficient way of doing this, let me know
(and before you ask, regexps are 2-3x slower).

-- 
Andrew McNamara, Senior Developer, Object Craft
http://www.object-craft.com.au/

More information about the Albatross-users mailing list