Yes, I know about .xml(), it's just that it is unintuitive, and more
importantly w3 says:
"User agents must not evaluate script data as HTML markup but instead
must pass it on as data to a script engine. Please note that script
data that is element content may not contain character references, but
script data that is the value of an attribute may contain them."
... so I'm not sure what Massimo means when he says it MUST escape
characters. I understand for general tags, but <script> is pretty
specific with regard to this, and for a reason. What I'm saying it
makes more sense to me to return XML() when someone does {{=SCRIPT
(stuff)}} than require to do XML manually. As is now, the script
element is more like a CODE() tag ni forums that ensures source get's
printed to the user, but not executed/nterpreted.
On Dec 9, 5:22 pm, mdipierro <[EMAIL PROTECTED]> wrote:
> Yes, by default it MUST escape all characters, This is an import
> security features.
> In Django they had to break backward compatibility and make it so.
> Use XML(text) to prevent it.
>
> Massimo
>
> On Dec 9, 7:41 am, Iceberg <[EMAIL PROTECTED]> wrote:
>
> > Can web2py's XML(...) help you?
>
> > On Dec 8, 11:24 pm, achipa <[EMAIL PROTECTED]> wrote:
>
> > > I just noticed that by default it escapes some chars that it probably
> > > shouldn't - for example 'if x < y' becomes 'if x < y'. You can of
> > > course work around this, but is probably not what most users would
> > > expect...
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"web2py Web Framework" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/web2py?hl=en
-~----------~----~----~----~------~----~------~--~---
