Index: openacs-4/packages/acs-templating/www/doc/noquote.html =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-templating/www/doc/noquote.html,v diff -u -r1.1 -r1.2 --- openacs-4/packages/acs-templating/www/doc/noquote.html 27 Aug 2003 14:08:12 -0000 1.1 +++ openacs-4/packages/acs-templating/www/doc/noquote.html 7 Aug 2017 23:48:02 -0000 1.2 @@ -60,17 +60,21 @@ instance, close the <i> behind your back, you should quote it, and then enclose it between <i> and </i>.
The ACS has a procedure that performs HTML quoting, -ad_quotehtml. It accepts the string that needs to be quoted, and +ns_quotehtml. It accepts the string that needs to be quoted, and returns the quoted string. In ACS 3.x, properly written code was -expected to call ad_quotehtml every time it published a string to a +expected to call ns_quotehtml every time it published a string to a web page. For example:
-doc_body_append "<ul>\n" set db [ns_db gethandle] set selection -[ns_db select $db {SELECT name FROM bboard_forums}] while {[ns_db -getrow $db $selection]} { set_variables_after_query doc_body_append -"<li>Forum: <tt>[ad_quotehtml $name]</tt>\n" } +doc_body_append "<ul>\n" +set db [ns_db gethandle] +set selection [ns_db select $db {SELECT name FROM bboard_forums}] +while {[ns_db getrow $db $selection]} { + set_variables_after_query + doc_body_append "<li>Forum: <tt>[ns_quotehtml $name]</tt>\n" +} doc_body_append "</ul>\n" -
Obviously, this was very error-prone, and more often than not, + +
Obviously, this was very error-prone, and more often than not, the programmers would forget to quote the variables that come from the database or from the user. This would "usually" work, but in some cases it would lead to broken pages and even pose a @@ -94,8 +98,11 @@ the presentation template, and the programming logic code. The template will look like this:
-<ul> <multiple name=forums> <li>Forum: - <tt>@forums.name@</tt> </multiple> </ul> +<ul> + <multiple name=forums> + <li>Forum: <tt>@forums.name@</tt> + </multiple> +</ul>
Once you understand the (simple) workings of the multiple tag, this version strikes you as much more readable than the old one. But we're not done yet: we need to write the Tcl code that @@ -104,7 +111,9 @@ and assigns variables from each row to template variables in each pass of a multiple of our choice.
-db_multirow forums get_forum_names { SELECT name FROM forums } +db_multirow forums get_forum_names { + SELECT name FROM forums +}
At this point the careful reader will wonder at which point the forum name gets quoted, and if so, how does the templating @@ -125,24 +134,26 @@ templating still supports all the ADP features, including embedding Tcl code in the template. Thus instead of referring to the multirow variable with the @forums.name@ variable substitutions, we use -<%=�[ad_quotehtml�@forums.name@]�%>. This works +<%= [ns_quotehtml @forums.name@] %>. This works correctly, but obviously breaks the abstraction barrier between ADP and Tcl syntaxes. The practical result of breaking the abstraction is that every occurrence of Tcl code in an ADP template will have to be painstakingly reviewed and converted once ADPs start being invoked by Java code rather than Tcl. -
At this point, most programmers simply give up and +
+At this point, most programmers simply give up and don't quote their variables at all . Quoting is handled only in the areas where it is really crucial and where not handling it would quote immediate and visible breakage, such as in the case of displaying the bodies of bboard articles. This is not exaggeration; it has been proven by auditing the ACS 4.0, both -manually and through grepping for ad_quotehtml. Strangely, this +manually and through grepping for ns_quotehtml. Strangely, this otherwise sad fact allows us to deploy a very radical but much more robust solution to the problem. -
At the time when we came to realize how serious the quoting deficiencies of ACS 4.0 were, we were about two weeks away from the release of a project for the German Bank. There was simply @@ -197,11 +208,7 @@ "gotchas" that one can expect follows in a separate document . -
The discussion about speed, i.e. benchmarking results -before and after the change, is -also available -. -
+
>