[Web-SIG] JavaScript escape function
Donovan Preston
dp at ulaluma.com
Tue Apr 26 05:32:41 CEST 2005
On Apr 25, 2005, at 7:34 PM, Ian Bicking wrote:
> Donovan Preston wrote:
>
>> var s = '$jquote($s)'
>> Leaving it up to the developer to ensure every potentially unsafe
>> python string is quoted properly always makes me nervous. Nevow
>> has enough information to automatically safely quote strings
>> inserted in html, html attribute, and URL contexts, but isn't
>> currently smart enough to know much about javascript and
>> javascript string quoting contexts. livepage will try to quote
>> things properly for you if you are using livepage.handler (which
>> uses jquote as shown above) but it's pretty easy to fool, because
>> nevow doesn't yet know enough about JavaScript to really be safe.
>> I hope to add some additional intelligence soon to cover this,
>> and perhaps also to cover CSS contexts.
>>
>
> This is why I strongly prefer keeping explicit quotes out of the
> substitution, i.e., "var s = $repr(str(s))"
I agree. It looks like $repr(str(s)) should do the Right Thing all
the time here.
> (or jquote or whatever)
jquote was never meant to be used explicitly. It was always meant to
be used by handler, which knows exactly what the current quote
situation is, like this:
@livepage.handler(somePotentiallyUnsafeThing)
def foo(client, theUnsafeThingHandledSafely):
print "Your unsafe thing got quoted properly: ",
theUnsafeThingHandledSafely
> , because it's less likely to lead to errors. If you do "var s =
> $s" it'll just break (syntactically invalid). But if you do "var s
> = '$s'" it'll work most of the time.
Except when s contains ', \\, or \n.
> This is how the DB-API (and database quoting generally) works. And
> not how PHP quoting is usually done, and we know how that ends up ;)
I'm trying to show my wife how to get some simple things done with
PHP, mostly because there are huge reference books she can read and
follow. (It's unfortunate that there are no nice Python solutions I
can teach her, including my own, but we'll fix that, right?) In the
example I'm following to construct some SQL, they do:
$bar = 'some string'
$baz = 42
$query = "INSERT INTO foo VALUES ('$bar', $baz)"
Are you telling me if $bar contains ' then all hell will break loose?
Donovan
More information about the Web-SIG
mailing list