Discussion:
Genshi (Aggressive) Attribute Escape Question
jerry
2011-01-16 06:37:06 UTC
Permalink
Hi,

My template --

"""
<div class="${Markup(google_search_url)}">
${Markup(google_search_url)}
</div>
<form action="${Markup(google_search_url)}" method="get" />
"""

renders to --

"""
<div class="http://www.google.com/search?hl=en&amp;q=genshi">
http://www.google.com/search?hl=en&q=genshi
</div>
<form action="http://www.google.com/search?hl=en&amp;q=genshi"
method="get" />
"""

Notice even within Markup(), the "&"s in attributes are escaped, which
messes up my form submission link.

While this seems like a "feature", is there a work-around, especially
for form action link?

Thanks in advance!

Jerry
--
You received this message because you are subscribed to the Google Groups "Genshi" group.
To post to this group, send email to ***@googlegroups.com.
To unsubscribe from this group, send email to genshi+***@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/genshi?hl=en.
jerry
2011-01-17 04:11:56 UTC
Permalink
Just to answer myself, canonical form building always works --

"""
<form action="http://www.google.com/search" method="get">
<input type="hidden" name="hl" value="en" />
<input type="hidden" name="q" value="genshi" />
</form>
"""

Jerry
Post by jerry
Hi,
My template --
"""
<div class="${Markup(google_search_url)}">
${Markup(google_search_url)}
</div>
<form action="${Markup(google_search_url)}" method="get" />
"""
renders to --
"""
<div class="http://www.google.com/search?hl=en&q=genshi">http://www.google.com/search?hl=en&q=genshi
</div>
<form action="http://www.google.com/search?hl=en&q=genshi"
method="get" />
"""
Notice even within Markup(), the "&"s in attributes are escaped, which
messes up my form submission link.
While this seems like a "feature", is there a work-around, especially
for form action link?
Thanks in advance!
Jerry
--
You received this message because you are subscribed to the Google Groups "Genshi" group.
To post to this group, send email to ***@googlegroups.com.
To unsubscribe from this group, send email to genshi+***@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/genshi?hl=en.
Simon Cross
2011-01-29 16:16:28 UTC
Permalink
Post by jerry
Notice even within Markup(), the "&"s in attributes are escaped, which
messes up my form submission link.
While this seems like a "feature", is there a work-around, especially
for form action link?
I think this might count as a bug or at the very least certainly a bit
odd. Markup() is meant to mark text as not needing escaping. For
attributes the Markup wrapper around values is lost while the template
is being rendered. I tracked this down to a:

value = ''.join(values)

in genshi/template/base.py.

My initial fix is attached. It's a bit heavy handed so I'll need to
think about it a bit more before applying. I'd also like to check that
it doesn't introduce a significant performance penalty.

Schiavo
Simon
--
You received this message because you are subscribed to the Google Groups "Genshi" group.
To post to this group, send email to ***@googlegroups.com.
To unsubscribe from this group, send email to genshi+***@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/genshi?hl=en.
Christopher Lenz
2011-01-29 22:36:00 UTC
Permalink
Post by Simon Cross
Post by jerry
Notice even within Markup(), the "&"s in attributes are escaped, which
messes up my form submission link.
While this seems like a "feature", is there a work-around, especially
for form action link?
I think this might count as a bug or at the very least certainly a bit
odd. Markup() is meant to mark text as not needing escaping. For
attributes the Markup wrapper around values is lost while the template
is being rendered.
IMO, rendering attribute values without escaping is unnecessary. You can't really put markup in an attribute value in any meaningful way, i.e. without generating output that's invalid (as in not well-formed).
--
Christopher Lenz
***@gmail.com
http://www.cmlenz.net/
--
You received this message because you are subscribed to the Google Groups "Genshi" group.
To post to this group, send email to ***@googlegroups.com.
To unsubscribe from this group, send email to genshi+***@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/genshi?hl=en.
Simon Cross
2011-01-29 23:00:11 UTC
Permalink
Post by Christopher Lenz
IMO, rendering attribute values without escaping is unnecessary. You can't
really put markup in an attribute value in any meaningful way, i.e. without
generating output that's invalid (as in not well-formed).
Agreed (and also agreed about your comments to Jerry's original use-case).

My thought was just that if Markup(foo) is intended to mean that one
has already escaped foo then one might expect the value of foo to be
left as-is even for attribute values.
Post by Christopher Lenz
MarkupTemplate('''<div foo="${Markup(foo)}" />''').generate(foo='&amp;').render()
'<div foo="&amp;"/>'
Post by Christopher Lenz
MarkupTemplate('''<div foo="${Markup(foo)}" />''').generate(foo='&amp;').render()
'<div foo="&amp;amp;"/>'

which I would not necessarily have expected.

Schiavo
Simon
--
You received this message because you are subscribed to the Google Groups "Genshi" group.
To post to this group, send email to ***@googlegroups.com.
To unsubscribe from this group, send email to genshi+***@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/genshi?hl=en.
Christopher Lenz
2011-01-29 22:32:40 UTC
Permalink
On 16.01.2011, at 07:37, jerry wrote:
[...]
Post by jerry
"""
<div class="http://www.google.com/search?hl=en&amp;q=genshi">
http://www.google.com/search?hl=en&q=genshi
</div>
<form action="http://www.google.com/search?hl=en&amp;q=genshi"
method="get" />
"""
Notice even within Markup(), the "&"s in attributes are escaped, which
messes up my form submission link.
I don't think the escaping is the problem here. If you didn't escape the ampersands, you'd be producing technically invalid HTML (in terms of well-formedness), even though browsers in the real world can deal with it.

In my quick testing of such GET method forms, I can't see a difference between escaping vs. not escaping the ampersands. In both cases, the query string parameters in the action URL get stripped. User agents don't seem to merge the actual form values with the query string, but rather use only the form values and remove preexisting query string parameters from the action URL. See also <http://stackoverflow.com/questions/1116019/submitting-a-get-form-with-query-string-params-and-hidden-params-disappear> on this topic.

Am I missing something here?
--
Christopher Lenz
***@gmail.com
http://www.cmlenz.net/
--
You received this message because you are subscribed to the Google Groups "Genshi" group.
To post to this group, send email to ***@googlegroups.com.
To unsubscribe from this group, send email to genshi+***@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/genshi?hl=en.
Loading...