html escaping question

Hello all,

as you could help me that fast and excellent yesterday I
have an other 
question to you ;)

What is the best/common practice to get text that might
containt html 
escapable characters (e. g. '&', '<') from a form
field to catalyst to db and 
back to form field?

At the moment I'm thinking of not doing any html escaping at
all and believe 
in unicode to handle the encoding correctly, but I would ran
into problems 
with '<funname>'. 

So if I escape a string and send it back to the form the
content of the 
textfield is '&lt;funame&gt;'. Why is that?

Again every thought is allmost welcome.

Greets,
Mario Minati

_______________________________________________
List: Catalystlists.rawmode.org
Listinfo: ht
tp://lists.rawmode.org/mailman/listinfo/catalyst
Searchable archive: http://www.mail-
archive.com/catalystlists.rawmode.org/
Dev site: http://dev.catalyst.per
l.org/

Am Mittwoch 21 März 2007 10:38 schrieb Ash Berlin:
> Mario Minati wrote:
> > Hello all,
> >
> > as you could help me that fast and excellent
yesterday I have an other
> > question to you ;)
> >
> > What is the best/common practice to get text that
might containt html
> > escapable characters (e. g. '&', '<') from
a form field to catalyst to db
> > and back to form field?
> >
> > At the moment I'm thinking of not doing any html
escaping at all and
> > believe in unicode to handle the encoding
correctly, but I would ran into
> > problems with '<funname>'.
> >
> > So if I escape a string and send it back to the
form the content of the
> > textfield is '&lt;funame&gt;'. Why is
that?
> >
> > Again every thought is allmost welcome.
> >
> > Greets,
> > Mario Minati
>
> I'll asume you are using TT since you didn't say
otherwise'
>
> [% '<funname>' | html %]


You mean I have to filter every form field that way? 
Or do you mean normal text content?

I hope there's a smoother solution otherwise this would be
quite a bit of 
work.

How are others solving the problem with this kind of
characters in unicode 
enabled websites?

Greets,
Mario

_______________________________________________
List: Catalystlists.rawmode.org
Listinfo: ht
tp://lists.rawmode.org/mailman/listinfo/catalyst
Searchable archive: http://www.mail-
archive.com/catalystlists.rawmode.org/
Dev site: http://dev.catalyst.per
l.org/

On 21/03/07, Mario Minati <mario.minatigooglemail.com> wrote:
> Am Mittwoch 21 März 2007 10:38 schrieb Ash Berlin:
> > Mario Minati wrote:
> > > What is the best/common practice to get text
that might containt html
> > > escapable characters (e. g. '&', '<')
from a form field to catalyst to db
> > > and back to form field?
> > >
> > > At the moment I'm thinking of not doing any
html escaping at all and
> > > believe in unicode to handle the encoding
correctly, but I would ran into
> > > problems with '<funname>'.
> > >
> > > So if I escape a string and send it back to
the form the content of the
> > > textfield is '&lt;funame&gt;'. Why is
that?
> >
> > I'll asume you are using TT since you didn't say
otherwise'
> >
> > [% '<funname>' | html %]
>
> You mean I have to filter every form field that way?
> Or do you mean normal text content?

Mario,

Am I right in thinking you're not using formfu in this
particular case?
Because if you are, H::FF::Element::field::_render_value()
already
runs all values through H::FF::Util:ml_es
cape() which escapes the 5
characters & " ' < >
In which case you may be double-escaping.

If your page is xhtml, and your page charset is utf-8, the
5
characters above are all that should need escaped, unicode
characters
shouldn't need to be.

Carl

_______________________________________________
List: Catalystlists.rawmode.org
Listinfo: ht
tp://lists.rawmode.org/mailman/listinfo/catalyst
Searchable archive: http://www.mail-
archive.com/catalystlists.rawmode.org/
Dev site: http://dev.catalyst.per
l.org/

On 21/03/07, Mario Minati <mario.minatigooglemail.com> wrote:
> Am Mittwoch 21 März 2007 12:42 schrieb Carl Franks:
> > In which case you may be double-escaping.
>
> But how can I circumvent this. Actually it's not a
clever question.
> Is it usefull to circumvent that.
>
> My current problem:
> As the part of my project I am working on at moment
deals with companies I
> have to deal with "GmbH & Co. KG" which
is a quite popular type of company in
> Germany.
>
> If a users types that in a form field everything is
fine until it comes to
> editing. The string is escaped - of course. But the
user is confused when he
> sees "GmbH &amp; Co. KG".

Find out which part of your app is double-escaping, and stop
it.
If your template has just [% form %] there shouldn't be any
problem.

By default, a field with:
    default_value('GmbH & Co')
will render as:
    value="Gmbh &amp; Co"
the user will see the value as:
    GmbH & Co
and when it's submitted, the server will see:
    GmbH & Co

_______________________________________________
List: Catalystlists.rawmode.org
Listinfo: ht
tp://lists.rawmode.org/mailman/listinfo/catalyst
Searchable archive: http://www.mail-
archive.com/catalystlists.rawmode.org/
Dev site: http://dev.catalyst.per
l.org/

Am Mittwoch 21 März 2007 15:01 schrieb Carl Franks:
> On 21/03/07, Mario Minati <mario.minatigooglemail.com> wrote:
> > Am Mittwoch 21 März 2007 12:42 schrieb Carl
Franks:
> > > In which case you may be double-escaping.
> >
> > But how can I circumvent this. Actually it's not a
clever question.
> > Is it usefull to circumvent that.
> >
> > My current problem:
> > As the part of my project I am working on at
moment deals with companies
> > I have to deal with "GmbH & Co. KG"
which is a quite popular type of
> > company in Germany.
> >
> > If a users types that in a form field everything
is fine until it comes
> > to editing. The string is escaped - of course. But
the user is confused
> > when he sees "GmbH &amp; Co. KG".
>
> Find out which part of your app is double-escaping, and
stop it.
> If your template has just [% form %] there shouldn't be
any problem.
>
> By default, a field with:
>     default_value('GmbH & Co')
> will render as:
>     value="Gmbh &amp; Co"
> the user will see the value as:
>     GmbH & Co
> and when it's submitted, the server will see:
>     GmbH & Co

You were right, as always 

I used the FormFu HTMLEscape Filter and the $amp; in the
database got encode a 
second time while form processing.

Thanks again,
Mario

_______________________________________________
List: Catalystlists.rawmode.org
Listinfo: ht
tp://lists.rawmode.org/mailman/listinfo/catalyst
Searchable archive: http://www.mail-
archive.com/catalystlists.rawmode.org/
Dev site: http://dev.catalyst.per
l.org/

Am Mittwoch 21 März 2007 12:42 schrieb Carl Franks:
> On 21/03/07, Mario Minati <mario.minatigooglemail.com> wrote:
> > Am Mittwoch 21 März 2007 10:38 schrieb Ash
Berlin:
> > > Mario Minati wrote:
> > > > What is the best/common practice to get
text that might containt html
> > > > escapable characters (e. g. '&',
'<') from a form field to catalyst
> > > > to db and back to form field?
> > > >
> > > > At the moment I'm thinking of not doing
any html escaping at all and
> > > > believe in unicode to handle the
encoding correctly, but I would ran
> > > > into problems with '<funname>'.
> > > >
> > > > So if I escape a string and send it back
to the form the content of
> > > > the textfield is
'&lt;funame&gt;'. Why is that?
> > >
> > > I'll asume you are using TT since you didn't
say otherwise'
> > >
> > > [% '<funname>' | html %]
> >
> > You mean I have to filter every form field that
way?
> > Or do you mean normal text content?
>
> Mario,
>
> Am I right in thinking you're not using formfu in this
particular case?
> Because if you are,
H::FF::Element::field::_render_value() already
> runs all values through H::FF::Util:ml_es
cape() which escapes the 5
> characters & " ' < >
> In which case you may be double-escaping.

I am Carl. 
But how can I circumvent this. Actually it's not a clever
question.
Is it usefull to circumvent that.

My current problem:
As the part of my project I am working on at moment deals
with companies I 
have to deal with "GmbH & Co. KG" which is a
quite popular type of company in 
Germany.

If a users types that in a form field everything is fine
until it comes to 
editing. The string is escaped - of course. But the user is
confused when he 
sees "GmbH &amp; Co. KG".

How to go about that?

Greets,
Mario Minati

_______________________________________________
List: Catalystlists.rawmode.org
Listinfo: ht
tp://lists.rawmode.org/mailman/listinfo/catalyst
Searchable archive: http://www.mail-
archive.com/catalystlists.rawmode.org/
Dev site: http://dev.catalyst.per
l.org/

Am Mittwoch 21 März 2007 17:19 schrieb Ian Docherty:
Hi Ian,

yes I kicked out the HTMLEscape Constraint.
And the result is a nice '&' in the DB (checked with
pgadmin III).

Thanks for your concern.

Greets,
Mario


> Mario
> I might have the wrong end of the stick here but I hope
you are saying
> that you are going to fix this by making sure that the
database holds
> the un-escaped text?
>
> Regards
> Ian C Docherty (icydee)
>
> Mario Minati wrote:
> > Am Mittwoch 21 März 2007 15:01 schrieb Carl
Franks:
> >
> > <snip>
> >
> >
> > You were right, as always 
> >
> > I used the FormFu HTMLEscape Filter and the $amp;
in the database got
> > encode a second time while form processing.
> >
> > Thanks again,
> > Mario
> >
> > _______________________________________________
> > List: Catalystlists.rawmode.org
> > Listinfo: ht
tp://lists.rawmode.org/mailman/listinfo/catalyst
> > Searchable archive:
> > http://www.mail-
archive.com/catalystlists.rawmode.org/ Dev
site:
> > http://dev.catalyst.per
l.org/
>
> _______________________________________________
> List: Catalystlists.rawmode.org
> Listinfo: ht
tp://lists.rawmode.org/mailman/listinfo/catalyst
> Searchable archive: http://www.mail-
archive.com/catalystlists.rawmode.org/
> Dev site: http://dev.catalyst.per
l.org/

_______________________________________________
List: Catalystlists.rawmode.org
Listinfo: ht
tp://lists.rawmode.org/mailman/listinfo/catalyst
Searchable archive: http://www.mail-
archive.com/catalystlists.rawmode.org/
Dev site: http://dev.catalyst.per
l.org/