[plt-scheme] web-server: apostrophe in form input

From: Doug Orleans (dougo at ccs.neu.edu)
Date: Fri Feb 14 20:41:52 EST 2003

I have a servlet that generates a web page with a form; if there is an 
apostrophe in the "value" attribute of one of the form's input fields,
it gets sent out as "'", which is not valid HTML, so it shows up
verbatim in the input field, instead of an actual apostrophe.  The
culprit is `xexpr->string':

  > (xexpr->string '(input ((value "x'y"))))
  "<input value=\"x&apos;y\" />"

There are a couple issues here:

1. I don't think apostrophes need to be escaped in XML attributes that 
   use double-quotes (http://www.w3.org/TR/REC-xml#NT-AttValue), so
   maybe this could just be removed from `escape-attribute-table' in

2. Sending XML as HTML seems like it's breaking an abstraction
   barrier; perhaps there should be an `xexpr->xhtml-string' (and/or
   `xml->xhtml') that cleans up any non-HTML-compliant XML stuff.  In
   this case, it could translate "&apos;" to "&#39;" as recommended by
   the XHTML specification (http://www.w3.org/TR/xhtml1/#C_16).
   (Or just use a real apostrophe.)

--dougo at ccs.neu.edu

Posted on the users mailing list.