All variables are now quoted by default, except those -explicitly protected by ;noquote.+explicitly protected by ;noquote or +;literal;. This means that the only way your code can fail is if the new code quotes a variable which is not meant to be quoted. Which is where ;noquote needs to be added. That's all porting effort that -is required. +is required. Actually, the variables are subject to HTML-quoting +and internationalization. The suffix ;noquote means that +the variable's content will be internationalized, but not +HTML-quoted, while ;no18n means quote, but don't +internationalize. Finally ;literal means: don't quote and +don't internationalize.
This is not hard because most variables will not be affected by this change. Most variables either need to be quoted (those containing textual data that comes from the database or from the @@ -156,7 +162,7 @@ one of the characters <, > or &. If it does, they will appear quoted to the user instead of appearing as-is.
Over-quoting is resolved by adding ;noquote to one of -the variables. We strongly recommend that you add ;noquote +the variables. We strongly recommend that you add ;literal inside the property tag rather than in the master. The reason is that, first, it makes sense to do so because conceptually the master is the one that "shows" the variable, so it makes sense @@ -169,8 +175,8 @@ like this:
slave sans over-quoting:<master> -<property name="title">\@title;noquote\@</property> -<property name="heading">\@title;noquote\@</property> +<property name="doc(title)">\@title;literal\@</property> +<property name="heading">\@title;literal\@</property> ...@@ -183,7 +189,7 @@ <form action="do-kick" method=POST> Kick user \@name\@.<br> Reason: <textarea name=reason>\@reason\@</textarea><br> - <input type="submit" value="Kick"> + <input type=submit value="Kick"> </form> @@ -197,9 +203,9 @@ the last example: it gets quoted once by the includer, and the second time by the included page. The fix is also similar: when you transfer non-constant text to an included page, make sure to add -;noquote.+;literal.Including template, sans over-quoting:-<include src="user-kick-form" id=\@kicked_id\@ reason=\@default_reason;noquote\@> +<include src="user-kick-form" id=\@kicked_id;literal\@ reason=\@default_reason;literal\@>Upgrade Overview.
@@ -212,11 +218,11 @@Audit the template for variables that export form variables and add ;noquote to them. More generally, audit the template for variables that are known to contain HTML, e.g. those that contain widgets or HTML content -provided by the user. Add ;noquote to them. Add ;noquote to variables used inside the +provided by the user. Add ;noquote to them. Add ;literal to variables used inside the property tag. Add ;noquote to textual variables whose values are attributes to the include tag. Audit the template for occurrences of -<%= [ad_quotehtml \@variable\@] => -and replace them with \@variable\@. Audit the Tcl code for occurrences of ad_quotehtml. If +<%= [ns_quotehtml \@variable\@] => +and replace them with \@variable\@. Audit the Tcl code for occurrences of ns_quotehtml. If it is used to build an HTML component, leave it, but take note of the variable the result gets saved to. Otherwise, remove the quoting. Add ;noquote to the "HTML component" variables noted @@ -263,6 +269,6 @@ from the user.
Hrvoje -Niksic -Last modified: Mon Oct 7 12:27:47 CEST 2002 +NiksicLast modified: Thu Aug 20 18:38:05 CEST 2015 +