Robin Becker wrote: > Tim van der Leeuw wrote: >> On Fri, Feb 22, 2008 at 5:17 PM, Robin Becker <[EMAIL PROTECTED]> wrote: >> >>> A colleague has decided to keep his django database string values (which >>> are xml >>> fragments) in an xml escaped form to avoid having the problem of escaping >>> them >>> when they are used in templates etc etc. >>> >>> Unfortunately he found that the normal admin doesn't escape on the way >>> through >>> so thought of adding a standard mechanism to the save methods. However, >>> this >>> brings in the possibility of escaping twice ie once in his original >>> capture code >>> and then in the django save methods. >>> >> Well -- you escape them in the save() method only when they contain XML >> charachters like <, > ? How about that, wouldn't that work? >> >> --Tim >> > ...... > That might work, but there are all the ampersands etc etc to consider as > well. > So an escaped string could contain &, but so can a raw string.
by the way, be careful - the Django trunk is already modified to perform escaping by default, so if your colleague is using 0.96 or older he should really look at the implications of that change on his design decision. Storing XML in escaped for is always dodgy, much better to escape when necessary (and when some other tool isn't doing it for you). that is, after all, the canonical form. regards Steve -- Steve Holden +1 571 484 6266 +1 800 494 3119 Holden Web LLC http://www.holdenweb.com/ -- http://mail.python.org/mailman/listinfo/python-list
