Andreas Schwarz wrote: > A question about sanitizing in general: is it possible to disable > sanitizing for certain variables in the template? I implemented partial sanitizing into Kwartz. Could you try it? http://www.kuwata-lab.com/webtech/kwartz/kwartz_2004-03-24_beta.tar.gz (This is experimental version. Documents are not updated.) New features: * new function E() and X() are implemented. E() means always sanitizing, and X() means never sanitizing. Presentation data (HTML file): -------------------- #{expr}# #{E(expr)}# #{X(expr)}# -------------------- Intermediate code: -------------------- :print(expr) :print(E(expr)) :print(X(expr)) -------------------- Output script: -------------------- ### Ruby print expr, "\n" print CGI.escapeHTML(expr), "\n" print expr, "\n" ### eRuby <%= expr %> <%= CGI.escapeHTML(expr) %> <%= expr %> -------------------- Output script (with command option '-s'): -------------------- ### Ruby print CGI.escapeHTML(expr), "\n" print CGI.escapeHTML(expr), "\n" print expr, "\n" ### eRuby <%= CGI.escapeHTML(expr) %> <%= CGI.escapeHTML(expr) %> <%= expr %> -------------------- * New directives 'Value', 'VALUE', 'Attr' and 'ATTR' are implemented. 'Value' and 'Attr' mean always sanitizing. 'VALUE' and 'ATTR' mean never sanitizing. For example, id="Value:expr" is equal to id="value:E(expr)", and id="ATTR:name:value" is equal to id="attr:name:X(value)". Presentation data (HTML file): -------------------- <td id="attr:class:klass;value:expr">foo</td> <td id="Attr:class:klass;Value:expr">foo</td> <td id="ATTR:class:klass;VALUE:expr">foo</td> -------------------- Intermediate code: -------------------- :print('<td class="', klass, '">', expr, '</td>\n') :print('<td class="', E(klass), '">', E(expr), '</td>\n') :print('<td class="', X(klass), '">', X(expr), '</td>\n') -------------------- I wonder whether this design is nice. If you have any suggestions, please tell me. -- regards, kwa