[XML-SIG] problem with elementtree 1.2.6

Stefan Behnel stefan_ml at behnel.de
Tue Nov 27 14:59:31 CET 2007

Chris Withers wrote:
>> the following entities are predefined: &amp; (&) &lt; (<) &gt; (>)
>> &quot; (") &apos; ('). 
> Okay, so in the above, if I really mean &lt;, the xml should be:
> '<xml>&amp;lt;/&amp;gt;</xml>'
> Seems a little clunky, but okay...

That's how escaping works, be it in XML, encodings, compression, whatever.

> I guess this was causing me problems as I'm working on a bug in Twiddler 
> (http://www.simplistix.co.uk/software/python/twiddler)
> where quoted html was ending up unquoted after processing:
>  >>> from twiddler import Twiddler
>  >>> t = Twiddler('<span>&lt;b&gt;</span>')
>  >>> t.render()
> u'<span><b></span>'

If render() is supposed to serialise a correct HTML or XML tag structure then
this is a bug.

> Now, I see how you fixed this in ElementTree by re-escaping all the 
> predefined entities (out of interest, why is the funtion called 
> _escape_cdata rather than _escape_data?)

You can read the SGML spec regarding CDATA.

> but I can't do that because I 
> want uses to be able to insert chunks of html and choose whether or not 
> they are escaped:
>  >>> t = Twiddler('<span id="something"/>')
> escaping:
>  >>> t['something'].replace('<b>')

What an odd API.

>  >>> t.render()
> u'<span id="something">&lt;b&gt;</span>'

I guess that's the expected behaviour.

> no escaping:
>  >>> t['something'].replace('<b>',filters=())
>  >>> t.render()
> u'<span id="something"><b></span>'

I consider it bad practice to write serialised HTML into an HTML template. It
prevents the templating system from seeing the complete tag structure, which
allows you to output broken HTML without noticing. And there's enough broken
HTML out there already.

Doesn't Twiddler provide a way to insert a tag tree fragment rather than a
serialised tag string?

> What extra hooks get called as a result of calling UseForeignDTD?

Have you tried reading the docs or the source?


More information about the XML-SIG mailing list