Jakub Narebski <jnareb@xxxxxxxxx> writes:
> There is no need to escape HTML tag's attributes in CGI.pm
> HTML methods (like CGI::a()), because CGI.pm does attribute
> escaping automatically.
>
> Explanation:
> $cgi->a({ ... -attribute => atribute_value }, tag_contents)
> is translated to
> <a ... attribute="attribute_value">tag_contents</a>
> The rules for escaping attribute values (which are string contents) are
> different. For example you have to take care about escaping embedded '"'
> and "'" characters; CGI::a() does that for us automatically.
>
> CGI::a() cannot HTML escape tag contents automatically; we might want to
> write
> <a href="URL">some <b>bold</b> text</a>
> for example. So we have to esc_html (or esc_path) if needed.
>
> Signed-off-by: Jakub Narebski <jnareb@xxxxxxxxx>
> ---
> Junio C Hamano wrote:
>> Jakub Narebski <jnareb@xxxxxxxxx> writes:
>>
>>> In short: escape tag contents if needed, do not escape attrbure values.
>>
>> I trust a patch from you will follow shortly?
>
> Here it is. I hope I found everything.
>
> Commit message is bit long, so you can cut it to first sentence only
> (or even only to title/subject).
Thanks. I think your explanation in the log message has the
right amount of details and keeping it there would help people
who would want to later touch the code.
-
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html