Bug #101193 for Template-Toolkit: HTML.escape() double-escapes already-escaped entities

Mon Dec 29 13:59:50 2014 themanchicken [...] gmail.com - Ticket created

Subject:	HTML.escape() double-escapes already-escaped entities
Date:	Mon, 29 Dec 2014 13:59:21 -0500
To:	bug-Template-Toolkit [...] rt.cpan.org
From:	Michael Stemle <themanchicken [...] gmail.com>

If you use the code: [% HTML.escape( ">tag<" ) %] then it will expand to: &gt;tag&lt; which is different from the expected behavior of leaving existing escaped entities alone. I recommend changing the regexp for ampersand to be this instead: s/&(?![a-zA-Z0-9#-]+;)/&/g This uses a negative look-ahead assertion to only match entities which are not already encoded. Please let me know if you have any questions. -- ~ Michael D. Stemle, Jr.

Mon Dec 29 17:53:42 2014 SREZIC [...] cpan.org - Correspondence added

On 2014-12-29 13:59:50, themanchicken@gmail.com wrote: Show quoted text

> If you use the code: > > [% HTML.escape( ">tag<" ) %] > > then it will expand to: > > &gt;tag&lt; > > which is different from the expected behavior of leaving existing escaped > entities alone. > > I recommend changing the regexp for ampersand to be this instead: > > s/&(?![a-zA-Z0-9#-]+;)/&/g > > This uses a negative look-ahead assertion to only match entities which are > not already encoded.

I think the current behavior is right. The input/output relation of HTML.escape is text -> html, not possibly_partial_html -> html. And other CPAN modules like CGI.pm also behave like TT: $ perl -MCGI -e 'warn CGI::escapeHTML(">tag<")' &gt;tag&lt; at -e line 1. If you think you need such a function, then you can always create an own Template-Toolkit plugin.

Mon Dec 29 17:53:42 2014 The RT System itself - Status changed from 'new' to 'open'

Fri Oct 05 12:52:41 2018 me [...] eboxr.com - Correspondence added

Ticket migrated to github as https://github.com/abw/Template2/issues/169

Fri Oct 05 12:52:42 2018 me [...] eboxr.com - Status changed from 'open' to 'resolved'