On Apr 26, 2005, at 1:19 AM, Jp Calderone wrote:
Nevow has liveevil.jquote(), which I believe does what you want. It is strikingly simple and straightforward:
def jquote(jscript): return jscript.replace('\\', '\\\\' ).replace("'", "\\'" ).replace('\n', '\\n')
I wonder if it isn't buggy somehow :) I don't know javascript well enough myself to say either way.
This is for explicitly quoting strings for inclusion in a javascript function call which is being built, which is why it is quoting '
For example:
nevow_clientToServerEvent('identifier', 'hello(\'world\')')The second argument would have been a python string which looked like this, which was then run through jquote before being used to build the nevow_clientToServerEvent call:
"hello('world')"To apply this to jj's original example, assigning a javascript string to a javascript variable, use single quotes around the call to jquote, or switch jquote to quote " instead of '
var s = '$jquote($s)'
Leaving it up to the developer to ensure every potentially unsafe python string is quoted properly always makes me nervous. Nevow has enough information to automatically safely quote strings inserted in html, html attribute, and URL contexts, but isn't currently smart enough to know much about javascript and javascript string quoting contexts. livepage will try to quote things properly for you if you are using livepage.handler (which uses jquote as shown above) but it's pretty easy to fool, because nevow doesn't yet know enough about JavaScript to really be safe. I hope to add some additional intelligence soon to cover this, and perhaps also to cover CSS contexts.
dp
_______________________________________________ Web-SIG mailing list [email protected] Web SIG: http://www.python.org/sigs/web-sig Unsubscribe: http://mail.python.org/mailman/options/web-sig/archive%40mail-archive.com
