Forum OpenACS Development: ad_quotehtml speed improvement

Would you mind posting this as a patch in bug-tracker?

In fact, Ns_QuoteHtml translates these 5 different characters to their equivalent HTML entitites:

<  >  &  \  "

<  >  &  '  "

Note that ns_quotehtml is translating literal backslashes, while ad_quotehtml is not. Why or why not?

So while you're at it, it would also useful to compare the string map vs. ns_quotehtml performance. If they're similar I think string map should be preferred, as it's much more general and powerful, and avoids and unnecessary dependency on the Ns_QuoteHtml C code for anyone trying to use OpenACS Tcl procs outside of AOLserver.

The problem is, as far as I can see, the only reason why you would want to quote quotes, in within html-tags and especially links. But, at least within links, that is not correct at all... Why?

First example:

<A href='page?a=@a@&b=@b@'>


As you see, I'm using single quotes. This is perfectly legal, and often usefull because single quotes do not have any special meaning in Tcl. For example:

<%="
This is a text where some values like this one $var1 will be inserted automatically [funca]
<A href='page?a=${var2}&b=[funcb]'>blablbalbablablabl</A>
"%>


Because of this property, I've learned myself to write html using single quotes and so I can code adp like above in all my vanilla AOLserver code.

So, do we want to quote ' too? It would solve the problem.

Second example:

<%
# For simplicity of example, would normally be done in .tcl file
set name "Daniël Mantione"
%>
<A href='page?name=@name@'>blablablablablabla</A>

Whoops! Afaik, an URL should in all situation consist of standard US-Ascii. It is no solution to quote, ë won't work in a URL.

What should be done instead? This is, of course, ns_urlencode. This is true in any situation where a variable is being expanded within a tag attribute that specifies a URL. (I.e. A href, IMG src, LINK href etc...)

Unless there is another reason to quote ", the entire reason why it should be quoted is bogus...

set url "page?[export vars name]"

in the tcl file.

Then in your adp you would have:

a href="@url;noquote@"

(unless ad_export_url_vars was added in 5.0)

If you do, you are still missing the point: The '&' characters in the url's MUST be quoted for the html to be valid. Since most browsers don't care, the problem is not big though.

Here is an example that might cause problems:

<a href="calculate-resistance?volt=2&amp=3">test</a>

Also, recently, the AOLserver parser had a bug resolved. Tag attributes which were quoted with single quotes were not correctly interpreted. Definitely, this is also a bug in ns_quotehtml, it should quote the single quote. Until this bug is fixed, the string map sounds like a good choice.

It sounds like we may want to deprecate ad_quotehtml in OACS 5.1 while rewriting it to call ns_quotehtml (and rewriting calls to ad_quotehtml as folks think of it).

Sound right?

Also instead of ad_export_url_vars we should use the export_vars proc as someone else recommended above.  It works for both URL and FORM vars (URL by default), allows assigning of values in the call, etc.

Now if someone wants to submit a patch to force export_vars to quote "&" we can take a look at it, but in practice I can't imagine any browser on the planet enforcing the standard in this regard ...

But the & in your url isn't html, it is just and old style of joining vars. Shouldn't the urls be fixed by using the new style, instead of quoting?

Well, in general it looks like rfc 2396 covers the issue. From section 2.4.2. "When to Escape and Unescape":

   A URI is always in an "escaped" form, since escaping or unescaping a
   completed URI might change its semantics.  Normally, the only time
   escape encodings can safely be made is when the URI is being created
   from its component parts; each component may have its own set of
   characters that are reserved, so only the mechanism responsible for
   generating or interpreting that component can determine whether or

   not escaping a character will change its semantics. Likewise, a URI
   must be separated into its components before the escaped characters
   within those components can be safely decoded.

"HTML Quoting" and "url escaping" are two different things. You can't quote components of a url, and definitely not the entire url. The & is a reserved separator, and I think the new one is the ';' semi-colon. Probably the old one, when used in an HTML page needs to be quoted?

Tom: The relevant document to quote is the SGML standard (for HTML) or the XML standard (for XHTML). Luckily the XHTML standard has a nice little writeup of the issue:

http://www.w3.org/TR/xhtml1/#C_12

(notice the example given)

The idea is this:

A URL is a URL is a URL. You generate the URL using export_vars, and get it in a Tcl string.

HTML is HTML is HTML. So if you want to send a string over HTML, you need to HTML-escape/quote certain characters, including the ampersand (&) character.

If you were to transmit your URL over plaintext email, or on a text/plain page, such as in a cvs, then you don't want to HTML-escape it.

That's why export_vars shouldn't do HTML quoting, and the templating system (design for HTML output) should.

/Lars