inconsitent escaping of html in notebook

1 view
Skip to first unread message

Harald Schilly

unread,
Feb 13, 2009, 1:10:16 PM2/13/09
to sage-devel
I got a bug report from the "report a problem" link in the notebook
about html character escaping.
It's inconsistent because it escapes html tags, but not &...; special
html characters.
I'm posting this to start a discussion if this is a bug or not or
other implicatoins...

Example:

In

print "& & ¬"
print "<b>foo</b>"
html("&amp; & &not;")
html("<b>foo</b>")

Out

& & ¬ <<< should be "&amp; & &not;"
(but the browser interprets the html characters
and it looks different)
<b>foo</b>
& & ¬
*foo* <<< in bold


h

mabshoff

unread,
Feb 13, 2009, 1:18:01 PM2/13/09
to sage-devel


On Feb 13, 10:10 am, Harald Schilly <harald.schi...@gmail.com> wrote:

Hi,
Hmm, there was some recent bugfix about a similar problem for TinyMCE
IIRC, so it does sound familiar. Have you tried 3.3.rc0 to see if the
problem is still there?

> h

Cheers,

Michael

Jason Grout

unread,
Feb 13, 2009, 1:41:45 PM2/13/09
to sage-...@googlegroups.com

Yes, this still happens on rc0. The problem fixed before was not on
TinyMCE per se, but on the escaping when dealing with the edit mode.

I see lots of places that only < is escaped, and not &, in notebook.py,
cell.py, etc. Would it be fairly safe to, whenever we escape <, escape
& as well?

Jason

William Stein

unread,
Feb 13, 2009, 1:45:29 PM2/13/09
to sage-...@googlegroups.com

That seems like a very good idea.

I can tell you why < is escaped frequently, but & isn't: I didn't know
that one needs to escape & when I was writing that code in the
notebook.

It would be best to factor out any code that escapes < into a new
function that does all escapes, then have it do both < and &.

William

Jason Grout

unread,
Feb 13, 2009, 1:51:12 PM2/13/09
to sage-...@googlegroups.com


Gee, if we were doing that, we might as well use one of the standard
python functions for this:


http://docs.python.org/library/cgi.html#cgi.escape

http://docs.python.org/library/xml.sax.utils.html#xml.sax.saxutils.escape

or if you plan to use the result as a quoted string, like in an
attribute value:

http://docs.python.org/library/xml.sax.utils.html#xml.sax.saxutils.quoteattr

Jason

Jason Grout

unread,
Feb 13, 2009, 2:07:18 PM2/13/09
to sage-...@googlegroups.com
Jason Grout wrote:
> Gee, if we were doing that, we might as well use one of the standard
> python functions for this:
>
>
> http://docs.python.org/library/cgi.html#cgi.escape
>
> http://docs.python.org/library/xml.sax.utils.html#xml.sax.saxutils.escape
>
> or if you plan to use the result as a quoted string, like in an
> attribute value:
>
> http://docs.python.org/library/xml.sax.utils.html#xml.sax.saxutils.quoteattr


Okay, patch is up at #5258. William, do you want to review it?

The patch fixes the problem noted in this report.

Jason

William Stein

unread,
Feb 13, 2009, 2:43:53 PM2/13/09
to sage-...@googlegroups.com

Awesome, thanks. Positive review!

William

Harald Schilly

unread,
Feb 13, 2009, 3:55:45 PM2/13/09
to sage-devel


On Feb 13, 8:07 pm, Jason Grout <jason-s...@creativetrax.com> wrote:
> Okay, patch is up at #5258.

wow, that was fast. for the statistics, i recieved this at 18:57 and
you posted this at 20:07 (my timezone) :)

h

Jason Grout

unread,
Feb 13, 2009, 4:01:22 PM2/13/09
to sage-...@googlegroups.com


Well, it's nice when you give us easy ones :).

Jason

Reply all
Reply to author
Forward
0 new messages