Forum OpenACS Development: Re: What a forking mess: noquote hell.

Collapse
Posted by Jeff Davis on
You don't want to say "nohtml" for plain text fields since that means you can't use < in them. Take the forum subject field for example, you should be able to have a tag in the subject, like "<blink> should be on the list of allowed tags", but not have to worry that you will have a blinking page as a consequence. Of course you could ad_quotehtml all the plain text fields and not have noquote but given how few places this was done correctly in 4.6.3 and before I am confident that OpenACS with noquote has far fewer quoting bugs than previous versions.

Also, something like a user contribution page which shows data from lots of different packages (some of which might be missing validation like you are talking about) are much safer with automatic html quoting.

It certainly was not hard to move most of the toolkit to noquote and where it's wrong, the fix is pretty obvious so I think the lack of backward compatibility is not a big deal at all (and if you submit a patch versus 4.6.3 to make ;noquote a noop we would be happy to apply it).

Collapse
Posted by Tom Jackson on

It sounds like the noop is a good idea, I'll try it out and post a TIP, or bug/feature. I'm usually less than clear when I write. To summarize, noquote isn't a bad idea, there are other good reasons to use it, mentioned in the original documents referenced above. Upgrading my packages is a good idea, and I had already done one before I started to think, not about doing the upgrade, but about maintaining sites that can't move to 5.0 right away, but might want upgrades to my packages.