Hopbot log for 2010-02-03 - Helma IRC channel: #helma on irc.freenode.net

2010-02-03:

[8:38] <oberhamsi> | escapeHtml works for now. botic & me just noticed that django&ruby do auto-escape per default and at least our skins would befenit from that
[8:39] <oberhamsi> i'll notice immediatly when something is escaped, but shouldn't be. not so much the other way around. would be another plus
[8:44] <oberhamsi> (django core devs had half a year of disucssion about this, all info referenced here http://code.djangoproject.com/wiki/AutoEscaping )
[8:44] <emilis_info> hmm
[8:44] <emilis_info> I come from PHP world
[8:45] <emilis_info> magic_quotes still haunts me
[8:50] <oberhamsi> as i experienced it, the main problem with magic_quotes was that it was optional
[8:50] <emilis_info> %)
[8:50] <oberhamsi> some apps required it, some didn't and mixing their code was impossible :)
[8:51] <emilis_info> for me the main problem is the stupidity of unescaping something that does not need to be escaped
[8:54] <emilis_info> I don't think it is impossible to mix code if it is written properly
[8:54] <oberhamsi> aggreed, if a security feature is super annoying people will find a way around it
[8:55] <emilis_info> also I don't like the way django implemented the unescaping (from your link), but that's just another point in my why-i-don't-use-traditional-templating-engines list ;-)
[8:58] <emilis_info> so... since I don't use skins, I may be wrong on what their users like and expect :-)
[8:58] <oberhamsi> mh... think of it like jdbc's prepared statements. everything you put in is escaped, everything you get returned is un-escaped
[8:59] <oberhamsi> how do you output html or don't you?
[8:59] <emilis_info> What if you need to input a piece of HTML from another function?
[8:59] <oberhamsi> ah not traditional... what then :)
[8:59] <emilis_info> I use embedded version of the same language the app is coded in
[8:59] <emilis_info> with PHP you nearly don't have to do anything at all
[9:00] <emilis_info> just some output buffering, to capture the result into a string
[9:00] <oberhamsi> yes some macros need their raw output (renderSkin), you can still do that and it's something that will break very obviously
[9:00] <emilis_info> with js on Helma, I wrote a small class that parses js embedded in strings
[9:01] <oberhamsi> i don't think hannes liked the proposal too much and it certainly would be a lot of effort (i think) for smth that can already be solved with | escapeHtml.
[9:01] <oberhamsi> oh nice. care to share?
[9:01] <emilis_info> just a sec
[9:01] <emilis_info> :)
[9:02] <emilis_info> http://bazaar.launchpad.net/~emilis-d/policyfeed/trunk/annotate/head%3A/modules/ctl/Template.js
[9:04] <oberhamsi> small... i like it
[9:05] <emilis_info> :)
[9:07] <oberhamsi> hehe you don't like the way django does un-escaping.. it's the way ng does escaping :D
[9:11] <emilis_info> hmh
[9:11] <emilis_info> can't you use something like a function for that?
[9:12] <emilis_info> something like escape(var)
[9:12] <emilis_info> :)
[17:01] <hannes__> the helma-ng demo app on google app engine is now a jabber/xmpp echo server
[17:02] <hannes__> just add helma-ng@appspot.com to your jabber contacts and send it anything
[17:02] <hannes__> it should come right back.
[17:02] <hannes__> pretty cool!
[17:03] <hannes__> a?lsdkjf ?lkj as?dlfjk ?alsdkjf?alskdj f?asdf
[17:04] <hannes__> oops, wrong chat window, sorry :)

 

 

In the channel now:

Logs by date: