Forum OpenACS Development: Re: HTML quoting in the templating system

Posted by Eduardo Pérez on
This is a hack to keep current things working correctly rather than a fix.
It's not a fix because when trying to fix some things it breaks others.
The correct fix is using ad_quotehtml where appropriate.

If someone want to continue with this hack,
Why instead declaring a function that does nothing "noquote" you declare a function that does something "quote", this way we finish with the overquote problem easier.

I'm almost sure using ;quote instead of ;noquote is far better idea
Why are you not using ;quote?
Did you discard ;quote in favor of ;quote or you didn't think it at first?

I prefer instead of "quote", "convert_utf8tohtmlutf8" or "convert_texttohtml" but that's a naming convention that only would help OpenACS beginners

Posted by Jeff Davis on
No Eduardo, this is not a hack given that in the majority of cases the variables should in fact be quoted. The default behavior should be what is most common. Doing it this way means that if someone is either inexperienced or careless you still get a page which is not susceptible to cross site scripting exploits, and the way it breaks is obvious and easy to fix.

Doing it the other way around makes the failure mode silent and exposes your site to a security risk.