Created by Rocael Hernández Rizzardini, last modified by Gustaf Neumann 07 Jun 2017, at 10:54 AM
- Avoid putting in Tcl code on ADP pages if possible
- Quote in the master, pass "properties" literally from slave adp files
when variables are used in templates without modifiers (marked with a ";") then the values of the variables are internationalized and html-quoted. The substitutions should be done at the place, where the variables are actually used, which is for "properties" in the master templates. That the places, where the variable values are just passed on, the modifier ";literal" should be used to prevent quoting and internationalization.
<head> <title>@doc.title@</title> </head> <body bgcolor="#ffffff"> <h1>@heading@</h1> <slave> </body>
<master> <property name="doc(title)">@title;literal@</property> <property name="heading">@title;literal@</property> ...Passing arguments to ADP includes:
<include src="name-of-included-adp" ... var="@value;literal@" ...>
<include src="name-of-included-adp" ... &="varName" ...>
- Pass always the "context" and "doc(title)" properties to the site master template
<property name="doc(title)">@title;literal@</property> <property name="context">@context;literal@</property>
- Quote HTML attributes
Quoting HTML attribute values improves the safety against XSS attacks, especially when the attribute values are variables. Double quotes are preferred over single quotes, both are fine.