| Subject: | html filter should encode " and ' |
One example given in the code for html and uri encoding shows creating an attribute like this:
<a href="[% some_url | uri | html %]">
This won't encode ' but it will encode " -- both fall into the same category, unreserved characters (RFC 2396 s2.3). If the user had written:
<a href='[% some_url | uri | html %]'>
he would be in for an unpleasant surprise. Since ' and " are both valid quoting characters for attributes, both should be encoded here to prevent this problem.
(It would be nice to have a built-in filter that would encode " and ' -- either html or html_attr.)
html_entity is not sufficient to do this job, because it also only encodes " and not '