Index: openacs-4/packages/acs-templating/www/doc/no-quote-upgrade.adp =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-templating/www/doc/no-quote-upgrade.adp,v diff -u -r1.3.2.2 -r1.3.2.3 --- openacs-4/packages/acs-templating/www/doc/no-quote-upgrade.adp 25 Aug 2015 18:02:10 -0000 1.3.2.2 +++ openacs-4/packages/acs-templating/www/doc/no-quote-upgrade.adp 9 Jun 2016 13:03:12 -0000 1.3.2.3 @@ -7,7 +7,7 @@ The variable substitution in the templating has been changed to become more friendly towards quoting. The rationale for the change -and the definition of terms like quoting +and the definition of terms like quoting are present in the quoting article . As it discusses @@ -44,9 +44,9 @@ this change. Most variables either need to be quoted (those containing textual data that comes from the database or from the user) or are unaffected by quoting (numerical database IDs, etc.) -The variables where this behavior is undesired are those that -contain HTML which is expected to be included as part of the -page, and those that are already quoted by Tcl code. Such +The variables where this behavior is undesired are those that +contain HTML which is expected to be included as part of the +page, and those that are already quoted by Tcl code. Such variables should be protected from quoting by the ;noquote modifier.
-Hidden form variables.
+Hidden form variables.
Also known as "hidden input fields", hidden form variables are form
fields with pre-defined values which are not shown to the user.
These days they are used for transferring internal state across
@@ -107,26 +107,26 @@
-Snippets of HTML produced by Tcl code, aka
-widgets
-.
+Snippets of HTML produced by Tcl code, aka
+widgets
+.
Normally we try to fit all HTML code into the ADP template and have
the Tcl code handle the "logic" of the program. And yet, sometimes
pieces of relatively convoluted HTML need to be included in many
templates. In such cases, it makes sense to generate the
-widget programmatically and include it into the template as
+widget programmatically and include it into the template as
a variable. A typical widget is a date entry widget which provides
the user the input and selection boxes for year, month, and day,
all of which default to the current date.
Another example of widgets is the context bar often found +
Another example of widgets is the context bar often found on top of ACS pgages.
Obviously, all widgets should be treated as HTML and therefore adorned with the ;noquote qualifier. This also assumes that the routines that build the widget are correctly -written and that they will quote the components used to +written and that they will quote the components used to build the widget.
-Pieces of text that are already quoted.
+Pieces of text that are already quoted.
This quoting is usually part of a more general preparation for HTML
rendering of the text. For instance, a bboard posting can be either
HTML or text. If it is HTML, we transmit it as is; if not, we
@@ -144,7 +144,7 @@
given by the Tcl code. Typically page titles, headings, and context
bars are handled this way. For example:
-master:-+master:<head> <title>\@title\@</title> </head> @@ -153,7 +153,7 @@ <slave> </body> -slave:+slave:<master> <property name="title">\@title\@</property> <property name="heading">\@title\@</property> @@ -181,13 +181,13 @@ (or not) only once, at the point where the value is passed from the Tcl code to the templating system. However, no such point in time exists because what in fact happens is that the template gets -compiled into code that simply takes what it needs from the -environment and then does the quoting. Properties are passed +compiled into code that simply takes what it needs from the +environment and then does the quoting. Properties are passed to the master so that all the property variables are shoved into an environment; by the time the master template is executed, all information on which variable came from where and whether it might have already been quoted is lost.
This occurrence is often referred to as over-quoting. +
This occurrence is often referred to as over-quoting. Over-quoting is sometimes hard to detect because things seem to work fine in most cases. To notice the problem in the example above (and in any other over-quoting example), the title needs to contain @@ -208,7 +208,7 @@
To reiterate, a bug-free version of the slave template looks like this:
-slave sans over-quoting:+slave sans over-quoting:<master> <property name="doc(title)">\@title;literal\@</property> <property name="heading">\@title;literal\@</property> @@ -219,10 +219,10 @@The exact same problems when the include statement passes some text. Here is an example:
-Including template:+Including template:<include src="user-kick-form" id=\@kicked_id\@ reason=\@default_reason\@> -Included template:+Included template:<form action="do-kick" method=POST> Kick user \@name\@.<br> Reason: <textarea name=reason>\@reason\@</textarea><br> @@ -245,7 +245,7 @@ transfer non-constant text to an included page, make sure to add ;literal.-Including template, sans over-quoting:+Including template, sans over-quoting:<include src="user-kick-form" id=\@kicked_id;literal\@ reason=\@default_reason;literal\@>@@ -285,12 +285,12 @@ watch out for.
- -HTML junk appearing in the page.
+HTML junk appearing in the page.
Literal HTML visible to the user typically comes from an "export_form_vars" or a widget variable that lacks ;noquote. To fix the problem, simply add ;noquote to the variable.- -Over-quoting and under-quoting.
+Over-quoting and under-quoting.
To detect quoting defects, you need to assume an active role in naming your objects. The best way to do it is to create objects (bboard forums, messages, news items, etc.) with names that contain