Yes, this still happens on rc0. The problem fixed before was not on
TinyMCE per se, but on the escaping when dealing with the edit mode.
I see lots of places that only < is escaped, and not &, in notebook.py,
cell.py, etc. Would it be fairly safe to, whenever we escape <, escape
& as well?
Jason
That seems like a very good idea.
I can tell you why < is escaped frequently, but & isn't: I didn't know
that one needs to escape & when I was writing that code in the
notebook.
It would be best to factor out any code that escapes < into a new
function that does all escapes, then have it do both < and &.
William
Gee, if we were doing that, we might as well use one of the standard
python functions for this:
http://docs.python.org/library/cgi.html#cgi.escape
http://docs.python.org/library/xml.sax.utils.html#xml.sax.saxutils.escape
or if you plan to use the result as a quoted string, like in an
attribute value:
http://docs.python.org/library/xml.sax.utils.html#xml.sax.saxutils.quoteattr
Jason
Okay, patch is up at #5258. William, do you want to review it?
The patch fixes the problem noted in this report.
Jason
Awesome, thanks. Positive review!
William
Well, it's nice when you give us easy ones :).
Jason