I don't know if this belongs on the dev board, but since it relates to
how the framework acts, I thought I'd give it a shot. Basically, I am
curious as to the function of escape vs. conditional_escape, and the
decision to use the former in the forms.as_x functions...
As far as I can tell, escape escapes a string unconditionally, even if
it's marked as safe (though I don't understand why this should be). I
am in a situation wherein I am trying to model a Dojo Widget as a
Django Widget, and need to make a javascript call with a string
argument. I have mark_safe'd the call in question
attrs['some_element'] = mark_safe("value with unsafe characters") at
the widget level. The problem is, when you get to the form rendering
level, even if a variable is marked safe, it gets escaped.
I've traced the execution and found the culprit to be the
django.forms.util.flatatt function. That is:
from django import forms
from django.utils.safestring import mark_safe
class MyWidget(forms.TextInput):
def __init__(self, *args, **kwargs):
attrs = kwargs.setdefault('attrs', {})
attrs['safe_string'] = "will o' the wisp"
attrs['normal_string'] = "cat o' nine tails"
super(MyWidget, self).__init__(*args, **kwargs)
w = MyWidget()
w.render("field_name", "")
#=> u'<input normal_string="cat o' nine tails" type="text"
name="field_name" safe_string="will o' the wisp" />'
You can see that both the unsafe and safe strings were escaped. I
don't know if this is intentional or not, but it prevents me from
making something like:
<input type="text" onBlur="myFunction('string_arg')">
because it is always escaping my single-quotes. Is this the desired
behavior? Anyway, like I said, the culprit is:
# django.forms.util
def flatatt(attrs):
"""
Convert a dictionary of attributes to a single
string.
The returned string will contain a leading space followed by
key="value",
XML-style pairs. It is assumed that the keys do not need to be
XML-
escaped.
If the passed dictionary is empty, then return an empty
string.
"""
return u''.join([u' %s="%s"' % (k, escape(v)) for k, v in
attrs.items()]) # <-- right there, the escape(v) call... should this
be conditional_escape?
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en
-~----------~----~----~----~------~----~------~--~---
