On Wed, Jul 14, 2010 at 10:18 AM, Martin Stein
<[email protected]> wrote:
> Hi all,
>
> I've noticed that the pylons trunk template defaults to using the
> escape function from markupsafe now (previously from webhelpers.html)
>
> I think the move to markupsafe is great (fast c-extension), but the
> two filters escape None differently:
>
>>>> import webhelpers.html, markupsafe
>>>> webhelpers.html.escape(None)
> literal(u'')
>>>> markupsafe.escape(None)
> Markup(u'None')
>
> Is this intentional? Is there a way to keep the None -> empty-string
> escaping without plugging in a custom filter?
Ben sent me a link to Markupsafe and I'm considering incorporating it
into the WebHelpers HTML builder, but I just moved to a new apartment
so haven't tested it yet. It will have to be 100% compatible with the
way the builder does things, and that may mean a shadow class or
overriding some aspects.
So None will continue to render as "" by the next release, but it may
not do that currently in pylons-dev. You may have to create a
temporary filter in the meantime.
Testing and patches for the WebHelpers builder would also be welcome.
And also, is everybody OK with replacing the core of 'literal' with
MarkupSafe? It's supposed to be faster, compatible, and address a
minor security issue [1]. The C extension is optional, and i
understand it will fall back to Python code if it's not available. On
the other hand, there were problems earlier installing on Windows due
to simplejson's speedups which didn't degrade gracefully, and pip
can't install a binary egg directly (only easy_install can). I'm also
unhappy with the tag-building code in WebHelpers anyway, which does
dumb string concatenation more than I expected.
[1] The security issue is that single quotes are not escaped, so that
the value in <div class='${foo}'> gets ended prematurely if foo
contains a single quote. But that's invalid HTML anyway because you're
supposed to use double quotes, not single quotes, around an attribute
value. I didn't know anybody used single quotes until Ben brought it
up.
--
Mike Orr <[email protected]>
--
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/pylons-discuss?hl=en.
