Escaping script code

Discussion:

user8472

2010-11-19 18:28:12 UTC

I want to generate a page which contains PHP code programmatically
with Genshi. However, I need to escape the special characters.

When I try: print(tag('<?php echo "Test"; ?>').generate())
the "<" and ">" will get escaped to < and > which obviously will
not work (not to mention what will happen to actual PHP code).

When I try to use the Unicode entities < and >, instead,
everything just gets worse.

However, there seems to be a way to escape strings using e.g.
tag.script('') which pastes the @Javascript@
code without escaping and works fine.

So is there a way to paste strings verbatim into the stream?

--
You received this message because you are subscribed to the Google Groups "Genshi" group.
To post to this group, send email to ***@googlegroups.com.
To unsubscribe from this group, send email to genshi+***@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/genshi?hl=en.

Simon Cross

2010-11-19 23:56:58 UTC

Permalink

On Fri, Nov 19, 2010 at 8:28 PM, user8472

Post by user8472
I want to generate a page which contains PHP code programmatically
with Genshi. However, I need to escape the special characters.

I'm not quite sure whether you want to escape special characters (as
you ask) or whether you want to avoid escaping them (as you appear to
be trying to do in your example). Either way,
http://genshi.edgewall.org/wiki/GenshiTutorial#AllowingMarkupinComments
should answer your question.

Schiavo
Simon

user8472

2010-11-20 09:13:15 UTC

Permalink

Thanks for your quick reply. As you have phrased so adequately I want
to avoid escaping the special characters. Of course, if there is a
different "preferred" way to generate script code then that would also
be nice.

WIth the page you have provided things work better now. But I ran into
another problem with the approach you have mentioned:

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:py="http://
genshi.edgewall.org/" xmlns:xi="http://www.w3.org/2001/XInclude">
<?python
def php():
from genshi.input import HTML
return HTML("<?php $test = 1; ?>")
?>
${php()}
</html>

This generates an error as it appears (I guess) the "?>" in the string
is being mistaken for the "?>" at the end of the Python code. One
workaround seems to be placing a wrapper function in an outside module
that pastes in the code. Another thing that seems to work by accident
is to paste in incorrect code, i.e., use the string "<?php $test = 1;

" (with a "?" missing at the end).

Is there a "best practice" to do this?

On Fri, Nov 19, 2010 at 8:28 PM, user8472

Post by user8472
I want to generate a page which contains PHP code programmatically
with Genshi. However, I need to escape the special characters.

I'm not quite sure whether you want to escape special characters (as
you ask) or whether you want to avoid escaping them (as you appear to
be trying to do in your example). Either way,http://genshi.edgewall.org/wiki/GenshiTutorial#AllowingMarkupinComments
should answer your question.
Schiavo
Simon

Simon Cross

2010-11-22 19:53:41 UTC

Permalink

On Sat, Nov 20, 2010 at 11:13 AM, user8472

Post by user8472
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:py="http://
genshi.edgewall.org/" xmlns:xi="http://www.w3.org/2001/XInclude">
<?python
from genshi.input import HTML
return HTML("<?php $test = 1; ?>")
?>
${php()}
</html>
This generates an error as it appears (I guess) the "?>" in the string
is being mistaken for the "?>" at the end of the Python code. One
workaround seems to be placing a wrapper function in an outside module
that pastes in the code. Another thing that seems to work by accident
is to paste in incorrect code, i.e., use the string "<?php $test = 1;

" (with a "?" missing at the end).

Is there a "best practice" to do this?

I don't think there is a neat way to avoid this. As you can see from
the standard [1] a processing instruction (such as <?python ?>) may
not contain the string '?>'. I was tempted to suggest:

<?python
def php():
from genshi.input import HTML
return HTML("<?php $test = 1; ?>")
?>
<?php
${php()}
?>

But Genshi doesn't process the contents of processing instructions.
This wouldn't be that hard to change but I'd like to hear from some
more regulars whether this is likely to break anyone else's code
before making any changes.

Another suggestion I have is:

<?python
def php():
from genshi.input import HTML
return HTML("<?php $test = 1; ?" + ">")
?>
${php()}

Or various similar tricks.

Post by user8472
From what I remember from my days as a PHP programmer leaving off the

closing '?>' is actually considered best practice if your PHP program
is meant to run to the end of the file since it avoids accidentally
outputing whitespace at the end of your PHP.

Apologies for the delay in replying. I needed to find a little time to
dig into this a bit.

[1] http://www.w3.org/TR/REC-xml/#sec-pi

Schiavo
Simon

user8472

2010-11-26 23:26:42 UTC

Permalink

Thanks for the quote of the XML standard; I was unaware that I wasn't
allowed to use '?>' even when it appears in quotes. In my current
situation I merely insert a couple of code "snippets" and use PHP
instructions sparsely - for the "heavy duty" processing I use
Genshi ;^) - so leaving out the closing '?>' is not an option.

So far I use a work-around that is similar to what you have suggested
(see my previous message); in particular, I call a function that
pastes in the "processing instruction" for PHP code with the code
inserted as a string.

Originally, I had been looking for a "tag" instance (similar to
"tag.script") which allows to insert other code verbatim with no
escaping. So why not extending Genshi to handle something like
"tag.php(code)" which does just that - paste in PHP code as a string
with the proper "<?php <code> ?>" boilerplate glue around it?

This way the problem is solved in a systematic way without breaking
existing codes and at least in my opinion it comes closer to user
expectations since there may be other people like me who expect "a way
to insert PHP" to be similar to "the way we found to insert other
scripting stuff".

Tim Black

2010-11-27 01:25:00 UTC

Permalink

Post by user8472
leaving out the closing '?>' is not an option.

You could try using ASP style tags (and enabling them in php.ini or via
an .htaccess file):
<%
// PHP code goes here
%>

Tim

Simon Cross

2010-11-27 23:27:54 UTC

Permalink

On Sat, Nov 27, 2010 at 1:26 AM, user8472

Post by user8472
Originally, I had been looking for a "tag" instance (similar to
"tag.script") which allows to insert other code verbatim with no
escaping. So why not extending Genshi to handle something like
"tag.php(code)" which does just that - paste in PHP code as a string
with the proper "<?php <code> ?>" boilerplate glue around it?

Sounds like a good suggestion. <?php ... ?> is not a tag though so it
would need a new object in genshi.builder, I think. Something like
pi.php(code) perhaps.

Schiavo
Simon