Index: openacs-4/packages/acs-templating/www/doc/noquote.html =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-templating/www/doc/noquote.html,v diff -u -r1.1.24.1 -r1.1.24.2 --- openacs-4/packages/acs-templating/www/doc/noquote.html 18 Sep 2015 07:46:48 -0000 1.1.24.1 +++ openacs-4/packages/acs-templating/www/doc/noquote.html 7 Nov 2016 19:16:25 -0000 1.1.24.2 @@ -65,12 +65,16 @@ expected to call ns_quotehtml every time it published a string to a web page. For example: 

-doc_body_append "<ul>\n" set db [ns_db gethandle] set selection
-[ns_db select $db {SELECT name FROM bboard_forums}] while {[ns_db
-getrow $db $selection]} { set_variables_after_query doc_body_append
-"<li>Forum: <tt>[ns_quotehtml $name]</tt>\n" }
+doc_body_append "<ul>\n"
+set db [ns_db gethandle]
+set selection [ns_db select $db {SELECT name FROM bboard_forums}]
+while {[ns_db getrow $db $selection]} {
+    set_variables_after_query
+    doc_body_append "<li>Forum: <tt>[ns_quotehtml $name]</tt>\n"
+}
 doc_body_append "</ul>\n"
-

Obviously, this was very error-prone, and more often than not, + +

Obviously, this was very error-prone, and more often than not, the programmers would forget to quote the variables that come from the database or from the user. This would "usually" work, but in some cases it would lead to broken pages and even pose a @@ -94,8 +98,11 @@ the presentation template, and the programming logic code. The template will look like this: 

-<ul> <multiple name=forums> <li>Forum:
-  <tt>@forums.name@</tt> </multiple> </ul>
+<ul>
+  <multiple name=forums>
+    <li>Forum: <tt>@forums.name@</tt>
+  </multiple>
+</ul>

Once you understand the (simple) workings of the multiple tag, this version strikes you as much more readable than the old one. But we're not done yet: we need to write the Tcl code that @@ -104,7 +111,9 @@ and assigns variables from each row to template variables in each pass of a multiple of our choice. 

-db_multirow forums get_forum_names { SELECT name FROM forums }
+db_multirow forums get_forum_names {
+  SELECT name FROM forums
+}

At this point the careful reader will wonder at which point the forum name gets quoted, and if so, how does the templating @@ -131,7 +140,8 @@ that every occurrence of Tcl code in an ADP template will have to be painstakingly reviewed and converted once ADPs start being invoked by Java code rather than Tcl. -

At this point, most programmers simply give up and +

+

At this point, most programmers simply give up and don't quote their variables at all . Quoting is handled only in the areas where it is really crucial and where not @@ -141,8 +151,9 @@ manually and through grepping for ns_quotehtml. Strangely, this otherwise sad fact allows us to deploy a very radical but much more robust solution to the problem. -

Quote Always, Except When Told Not to. -

+

+

Quote Always, Except When Told Not to.

+

At the time when we came to realize how serious the quoting deficiencies of ACS 4.0 were, we were about two weeks away from the release of a project for the German Bank. There was simply @@ -197,11 +208,7 @@ "gotchas" that one can expect follows in a separate document . -

The discussion about speed, i.e. benchmarking results -before and after the change, is -also available -. -

+

>

Hrvoje Niksic