The ACS has a procedure that performs HTML quoting, -ad_quotehtml. It accepts the string that needs to be quoted, and +ns_quotehtml. It accepts the string that needs to be quoted, and returns the quoted string. In ACS 3.x, properly written code was -expected to call ad_quotehtml every time it published a string to a +expected to call ns_quotehtml every time it published a string to a web page. For example:
doc_body_append "<ul>\n" set db [ns_db gethandle] set selection
[ns_db select $db {SELECT name FROM bboard_forums}] while {[ns_db
getrow $db $selection]} { set_variables_after_query doc_body_append
-"<li>Forum: <tt>[ad_quotehtml $name]</tt>\n" }
+"<li>Forum: <tt>[ns_quotehtml $name]</tt>\n" }
doc_body_append "</ul>\n"
Obviously, this was very error-prone, and more often than not, the programmers would forget to quote the variables that come @@ -125,7 +125,7 @@ templating still supports all the ADP features, including embedding Tcl code in the template. Thus instead of referring to the multirow variable with the @forums.name@ variable substitutions, we use -<%=�[ad_quotehtml�@forums.name@]�%>. This works +<%=�[ns_quotehtml�@forums.name@]�%>. This works correctly, but obviously breaks the abstraction barrier between ADP and Tcl syntaxes. The practical result of breaking the abstraction is that every occurrence of Tcl code in an ADP template will have to be @@ -138,7 +138,7 @@ handling it would quote immediate and visible breakage, such as in the case of displaying the bodies of bboard articles. This is not exaggeration; it has been proven by auditing the ACS 4.0, both -manually and through grepping for ad_quotehtml. Strangely, this +manually and through grepping for ns_quotehtml. Strangely, this otherwise sad fact allows us to deploy a very radical but much more robust solution to the problem.