xml escapedness

Steve Holden steve at holdenweb.com
Fri Feb 22 18:47:12 CET 2008

Robin Becker wrote:
> Tim van der Leeuw wrote:
>> On Fri, Feb 22, 2008 at 5:17 PM, Robin Becker <robin at reportlab.com> wrote:
>>> A colleague has decided to keep his django database string values (which
>>> are xml
>>> fragments) in an xml escaped form to avoid having the problem of escaping
>>> them
>>> when they are used in templates etc etc.
>>> Unfortunately he found that the normal admin doesn't escape on the way
>>> through
>>> so thought of adding a standard mechanism to the save methods. However,
>>> this
>>> brings in the possibility of escaping twice ie once in his original
>>> capture code
>>> and then in the django save methods.
>> Well -- you escape them in the save() method only when they contain XML
>> charachters like <, > ? How about that, wouldn't that work?
>> --Tim
> ......
> That might work, but there are all the ampersands etc etc to consider as well. 
> So an escaped string could contain &, but so can a raw string.

by the way, be careful - the Django trunk is already modified to perform 
escaping by default, so if your colleague is using 0.96 or older he 
should really look at the implications of that change on his design 
decision. Storing XML in escaped for is always dodgy, much better to 
escape when necessary (and when some other tool isn't doing it for you). 
that is, after all, the canonical form.

Steve Holden        +1 571 484 6266   +1 800 494 3119
Holden Web LLC              http://www.holdenweb.com/

More information about the Python-list mailing list