CDATA, escape, and debug.tpl: potential minor bug
Paul Hinze
I hail from Gallery [1] (I'm their GSoC student incidentally) and I've run into
a minor issue that I've been noticing with the Firebug extension on FF3.
Whenever Smarty is in debug mode, Firebug's console complains about an
"Illegal XML Character" and points to code generated from debug.tpl.
This is JavaScript that should pop up the Smarty debug window:
[debug.tpl]
144 <script type="text/javascript">
145 // <![CDATA[
146 if ( self.name == '' ) {ldelim}
147 var title = 'Console';
148 {rdelim}
149 else {ldelim}
150 var title = 'Console_' + self.name;
151 {rdelim}
152 _smarty_console = window.open("",title.value,"width=680,height=600,resizable,scrollbars=yes");
153 _smarty_console.document.write('{$debug_output|escape:'javascript'}');
154 _smarty_console.document.close();
155 // ]]>
156 </script>
[/debug.tpl]
As would be expected, it's wrapped in a CDATA block, so any cranky XML parser
won't complain about JavaScript's flagrant use of invalid characters like & and
< and the like. The problem is, the XHTML that's included in $debug_output
actually has CDATA tags *in* it, making line 153 expand to the following mess
(from which I've snipped out all but the relevant parts):
_smarty_console.document.write('<!DOCTYPE html PUBLIC ... <style type=\"text/css\">\n/* <![CDATA[ */\nbody, h1 ... ]]> ...
You can see how an XML parser would incorrectly read this JavaScript call as
the end of the section it's supposed to ignore, and once again get cranky and
complain.
One way to solve this problem is to have the modifier 'escape', when it is used
for JavaScript, also remove CDATA tags. The downside to this is that the CSS
of the popup window is not properly escaped from an XHTML standpoint. Perhaps
there would be a better way to fix this as well...
So, I hope I've made my case clearly and pointed out what I believe is a small
bug. Let me know if I'm totally off, though. ;)
Regards,
Paul Hinze
Google Summer of Code 2008 Student, Gallery Project