xml escapedness
Robin Becker
robin at reportlab.com
Fri Feb 22 13:16:23 EST 2008
Steve Holden wrote:
> Robin Becker wrote:
>> Tim van der Leeuw wrote:
>>> On Fri, Feb 22, 2008 at 5:17 PM, Robin Becker <robin at reportlab.com> wrote:
>>>
>>>> A colleague has decided to keep his django database string values (which
>>>> are xml
>>>> fragments) in an xml escaped form to avoid having the problem of escaping
>>>> them
>>>> when they are used in templates etc etc.
>>>>
>>>> Unfortunately he found that the normal admin doesn't escape on the way
>>>> through
>>>> so thought of adding a standard mechanism to the save methods. However,
>>>> this
>>>> brings in the possibility of escaping twice ie once in his original
>>>> capture code
>>>> and then in the django save methods.
>>>>
>>> Well -- you escape them in the save() method only when they contain XML
>>> charachters like <, > ? How about that, wouldn't that work?
>>>
>>> --Tim
>>>
>> ......
>> That might work, but there are all the ampersands etc etc to consider as well.
>> So an escaped string could contain &, but so can a raw string.
>
> by the way, be careful - the Django trunk is already modified to perform
> escaping by default, so if your colleague is using 0.96 or older he
> should really look at the implications of that change on his design
> decision. Storing XML in escaped for is always dodgy, much better to
> escape when necessary (and when some other tool isn't doing it for you).
> that is, after all, the canonical form.
>
> regards
> Steve
I agree wholeheartedly, I would prefer raw in the db. Since we're scraping for
some of the content it's hard to eliminate all xml though.
--
Robin Becker
More information about the Python-list
mailing list