[Web-SIG] JavaScript escape function
Ian Bicking
ianb at colorstudy.com
Tue Apr 26 04:34:18 CEST 2005
Donovan Preston wrote:
> var s = '$jquote($s)'
>
> Leaving it up to the developer to ensure every potentially unsafe
> python string is quoted properly always makes me nervous. Nevow has
> enough information to automatically safely quote strings inserted in
> html, html attribute, and URL contexts, but isn't currently smart
> enough to know much about javascript and javascript string quoting
> contexts. livepage will try to quote things properly for you if you are
> using livepage.handler (which uses jquote as shown above) but it's
> pretty easy to fool, because nevow doesn't yet know enough about
> JavaScript to really be safe. I hope to add some additional
> intelligence soon to cover this, and perhaps also to cover CSS contexts.
This is why I strongly prefer keeping explicit quotes out of the
substitution, i.e., "var s = $repr(str(s))" (or jquote or whatever),
because it's less likely to lead to errors. If you do "var s = $s"
it'll just break (syntactically invalid). But if you do "var s = '$s'"
it'll work most of the time.
This is how the DB-API (and database quoting generally) works. And not
how PHP quoting is usually done, and we know how that ends up ;)
--
Ian Bicking / ianb at colorstudy.com / http://blog.ianbicking.org
More information about the Web-SIG
mailing list