[Koha-patches] [PATCH] Using "escape=html" on TMPL_VAR containing SQL to prevent HTML from breaking when SQL includes double-quotes.
MJ Ray
mjr at phonecoop.coop
Thu Feb 26 15:10:27 CET 2009
Joe Atzberger <joe.atzberger at liblime.com> wrote:
> Won't this make a statement like:
> ... where field > 1
>
> into:
> ... where field > 1
>
> That would be sure to induce errors.
Yes, but only inside the INPUT VALUE, where > should be > anyway.
See http://www.w3.org/TR/html401/interact/forms.html#adef-value-INPUT
and click around a bit. It's like & in href should be written &
Hope that explains,
--
MJ Ray (slef)
Webmaster for hire, statistician and online shop builder for a small
worker cooperative http://www.ttllp.co.uk/ http://mjr.towers.org.uk/
(Notice http://mjr.towers.org.uk/email.html) tel:+44-844-4437-237
More information about the Koha-patches
mailing list