Loading ...
Sorry, an error occurred while loading the content.

[Cheetahtemplate-discuss] Undesirable Double Escaping with the WebSafe Filter

Expand Messages
  • Mike Wiacek
    If you have #def s in your template, and you use the WebSafe filter, you end up with a double escaping problem if any template functions return html content.
    Message 1 of 2 , Dec 8, 2007
    • 0 Attachment
      If you have #def's in your template, and you use the WebSafe filter,
      you end up with a double escaping problem
      if any template functions return html content.

      Here is a short template I'll use to demonstrate what I'm talking about:

      #def tmpl_function
      Some HTML: $html
      #end def

      $tmpl_function()


      If I try and render the template by passing {'html':'<h1>hello</h1>'}
      to the searchList, it renders the following:

      Some HTML: &lt;h1&gt;hello&lt;/h1&gt;

      This is clearly a mistake, as the output should be: Some HTML:
      <h1>hello</h1>

      If we look at the compiled template code we see that this occurs
      because the filter is called twice.


      def tmpl_function(self, **KWS):
      .... skipped boilerplate code...
      write('Some HTML: ')
      _v = VFFSL(SL,"html",True) # '$html' on line 2, col 13
      if _v is not None: write(_filter(_v, rawExpr='$html')) # from
      line 2, col 13.


      So it's clear when tmpl_function is called, any placeholders used
      within the function are passed to the filter.
      The entire functions return value is passed through the filter again,
      resulting in the problem

      Since html escaping the same content more than once is not desirable,
      this behavior should be changed.
      Unfortunately, the NameMapper code determines if something is a
      callable function or an entry in the searchList,
      and by the time we get to the filter, we have no way of determining
      what type of entity rawExpr actually is.

      _v = VFFSL(SL,"tmpl_function",False)() # '$tmpl_function()' on line 5, col 1
      if _v is not None: write(_filter(_v, rawExpr='$tmpl_function()')) #
      from line 5, col 1.

      We can try checking the value of rawExpr within the filter to see if
      it contains a pair of parentheses, but Cheetah
      doesn't require them to be there. If I try and print out
      $tmpl_function without the (), it works fine.

      We need some way to inform the filter what type of entity rawExpr
      represents so that it can decide how to
      proceed. An alternative is to simply not pass the output of #def or
      #if statements to filters, as any placeholders
      used within the template get passed to the filter already. Could we
      make this a compiler option?

      I have seen some other people report this same problem on April 5,
      2007 in the email:
      [Cheetahtemplate-discuss] ReplaceNone vs WebSafe

      Has anyone proposed any solutions? I'd be willing to work on
      implementing them, but I'd like to know what
      other people think would be the best solution.

      ..mike

      -------------------------------------------------------------------------
      SF.Net email is sponsored by:
      Check out the new SourceForge.net Marketplace.
      It's the best place to buy or sell services for
      just about anything Open Source.
      http://sourceforge.net/services/buy/index.php
      _______________________________________________
      Cheetahtemplate-discuss mailing list
      Cheetahtemplate-discuss@...
      https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss
    • Tavis Rudd
      Hi Mike, I use something other than the WebSafe filter for my own escaping so I haven t encountered this. If you ve got time to figure it out and code up a
      Message 2 of 2 , Dec 10, 2007
      • 0 Attachment
        Hi Mike,
        I use something other than the WebSafe filter for my own escaping so I
        haven't encountered this. If you've got time to figure it out and code up
        a patch for I'd be happy to add it to the next release.
        Tavis

        On Sat, 8 Dec 2007, Mike Wiacek wrote:

        > If you have #def's in your template, and you use the WebSafe filter,
        > you end up with a double escaping problem
        > if any template functions return html content.
        >
        > Here is a short template I'll use to demonstrate what I'm talking about:
        >
        > #def tmpl_function
        > Some HTML: $html
        > #end def
        >
        > $tmpl_function()
        >
        >
        > If I try and render the template by passing {'html':'<h1>hello</h1>'}
        > to the searchList, it renders the following:
        >
        > Some HTML: &lt;h1&gt;hello&lt;/h1&gt;
        >
        > This is clearly a mistake, as the output should be: Some HTML:
        > <h1>hello</h1>
        >
        > If we look at the compiled template code we see that this occurs
        > because the filter is called twice.
        >
        >
        > def tmpl_function(self, **KWS):
        > .... skipped boilerplate code...
        > write('Some HTML: ')
        > _v = VFFSL(SL,"html",True) # '$html' on line 2, col 13
        > if _v is not None: write(_filter(_v, rawExpr='$html')) # from
        > line 2, col 13.
        >
        >
        > So it's clear when tmpl_function is called, any placeholders used
        > within the function are passed to the filter.
        > The entire functions return value is passed through the filter again,
        > resulting in the problem
        >
        > Since html escaping the same content more than once is not desirable,
        > this behavior should be changed.
        > Unfortunately, the NameMapper code determines if something is a
        > callable function or an entry in the searchList,
        > and by the time we get to the filter, we have no way of determining
        > what type of entity rawExpr actually is.
        >
        > _v = VFFSL(SL,"tmpl_function",False)() # '$tmpl_function()' on line 5, col 1
        > if _v is not None: write(_filter(_v, rawExpr='$tmpl_function()')) #
        > from line 5, col 1.
        >
        > We can try checking the value of rawExpr within the filter to see if
        > it contains a pair of parentheses, but Cheetah
        > doesn't require them to be there. If I try and print out
        > $tmpl_function without the (), it works fine.
        >
        > We need some way to inform the filter what type of entity rawExpr
        > represents so that it can decide how to
        > proceed. An alternative is to simply not pass the output of #def or
        > #if statements to filters, as any placeholders
        > used within the template get passed to the filter already. Could we
        > make this a compiler option?
        >
        > I have seen some other people report this same problem on April 5,
        > 2007 in the email:
        > [Cheetahtemplate-discuss] ReplaceNone vs WebSafe
        >
        > Has anyone proposed any solutions? I'd be willing to work on
        > implementing them, but I'd like to know what
        > other people think would be the best solution.
        >
        > ..mike
        >
        > -------------------------------------------------------------------------
        > SF.Net email is sponsored by:
        > Check out the new SourceForge.net Marketplace.
        > It's the best place to buy or sell services for
        > just about anything Open Source.
        > http://sourceforge.net/services/buy/index.php
        > _______________________________________________
        > Cheetahtemplate-discuss mailing list
        > Cheetahtemplate-discuss@...
        > https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss
        >

        -------------------------------------------------------------------------
        SF.Net email is sponsored by:
        Check out the new SourceForge.net Marketplace.
        It's the best place to buy or sell services for
        just about anything Open Source.
        http://sourceforge.net/services/buy/index.php
        _______________________________________________
        Cheetahtemplate-discuss mailing list
        Cheetahtemplate-discuss@...
        https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss
      Your message has been successfully submitted and would be delivered to recipients shortly.