[Web-SIG] JavaScript escape function

Donovan Preston dp at ulaluma.com
Tue Apr 26 05:32:41 CEST 2005 

On Apr 25, 2005, at 7:34 PM, Ian Bicking wrote:

> Donovan Preston wrote:
>
>> var s = '$jquote($s)'
>> Leaving it up to the developer to ensure every potentially unsafe   
>> python string is quoted properly always makes me nervous. Nevow  
>> has  enough information to automatically safely quote strings  
>> inserted in  html, html attribute, and URL contexts, but isn't  
>> currently smart  enough to know much about javascript and  
>> javascript string quoting  contexts. livepage will try to quote  
>> things properly for you if you  are using livepage.handler (which  
>> uses jquote as shown above) but  it's pretty easy to fool, because  
>> nevow doesn't yet know enough about  JavaScript to really be safe.  
>> I hope to add some additional  intelligence soon to cover this,  
>> and perhaps also to cover CSS contexts.
>>
>
> This is why I strongly prefer keeping explicit quotes out of the  
> substitution, i.e., "var s = $repr(str(s))"

I agree. It looks like $repr(str(s)) should do the Right Thing all  
the time here.

> (or jquote or whatever)

jquote was never meant to be used explicitly. It was always meant to  
be used by handler, which knows exactly what the current quote  
situation is, like this:

@livepage.handler(somePotentiallyUnsafeThing)
def foo(client, theUnsafeThingHandledSafely):
     print "Your unsafe thing got quoted properly: ",  
theUnsafeThingHandledSafely

> , because it's less likely to lead to errors.  If you do "var s =  
> $s" it'll just break (syntactically invalid).  But if you do "var s  
> = '$s'" it'll work most of the time.

Except when s contains ', \\, or \n.

> This is how the DB-API (and database quoting generally) works.  And  
> not how PHP quoting is usually done, and we know how that ends up ;)

I'm trying to show my wife how to get some simple things done with  
PHP, mostly because there are huge reference books she can read and  
follow. (It's unfortunate that there are no nice Python solutions I  
can teach her, including my own, but we'll fix that, right?) In the  
example I'm following to construct some SQL, they do:

$bar = 'some string'
$baz = 42
$query = "INSERT INTO foo VALUES ('$bar', $baz)"

Are you telling me if $bar contains ' then all hell will break loose?

Donovan

More information about the Web-SIG mailing list