Conceptually, this looks like

  my $escaped = $content;
  $escaped =~ s/&/&/g;
  $escaped =~ s/</&lt;/g;
  $escaped =~ s/>/&gt;/g;
  print "<textarea>$escaped</textarea>";
[download]

See my above note on this idea. The problem is that I want folks to be able to create a technote (in a textread form) that contains any html tag, and save it exactly as typed, and then have them be able to edit that exact text again later, without some of those tag being interpreted as tags for the page instead of text in the textarea. If I modify the content like that, then a user types in one thing and ends up editing another.

Then again, if I told folks not to escape, and I escaped for them before saving the file, then that just might work... then any tags would be saves with escapes, and displayed as text and not interpreted. The only problem with this is if you type, say, <pre> </pre> inside a textarea - that doesn't get interpreted, so I would be escaping things that don't need it, but I suppose that might be alright.

Actually, that get ugly, because, then all of the tags that I am telling people to use to format the text of the technote will now not be tags that format the text when displayed later in a table, they will show as text, unless I unescape all before displaying to the table.

That get's messy, but it may be the only way...

Any other ideas?

The problem is that I want folks to be able to create a technote (in a textread form) that contains any html tag, and save it exactly as typed, and then have them be able to edit that exact text again later, without some of those tag being interpreted as tags for the page instead of text in the textarea.

From the sound of it, someone is doing some unecessary entity unescaping when the form is submitted. If a user types

    <foo>
[download]

but what ends up saved is

    <foo>
[download]

then there's a problem in your form processing logic.

And make sure you escape the & before the < and > otherwise you end up with something along the lines of:

"<" -> "%lt;" -> "&lt;"

Incidentally, in order to print this out correctly I have to triple escape the code. Talk about confusing!

-caedes

Thanks, but if you try it like I suggested, you'll see the dilema - here is the problem:

I want &lt; to show up as-is, since that is what the user typed when the document was created. If I have them double-escape (or really escape the & with &amp;) then when I save the text, and then display it later (on a technote display page that drops the html in a table cell) it will show as &lt; and not as <

The problem is that most tags inside the textarea tag are NOT interpreted, but the following IS:

<textarea>&lt;property key="smtpHost"        value=""/&gt;</textarea>

Basically, I think that this is a bug in the textarea tag for html - any other ideas?

TIA again, Jeff

I want &lt; to show up as-is, since that is what the user typed when the document was created.

If the user literaly typed '&' 'l' 't' ';', then to prevent this from being corrupted when you spit the text back out into a textarea, you're going to need to escape the '&'. This isn't an HTML bug, though it's not the most documented aspect of HTML that you'll find.

#!/usr/bin/perl -T

use strict;
use warnings;
use CGI qw(header param);
use HTML::Template;

my $tmpl = HTML::Template->new(filehandle => \*DATA);
$tmpl->param(html => param('html'));
print header, $tmpl->output;

__DATA__
<html>
<head>
<title>textarea test</title>
</head>
<body>

<form>
<textarea name="html"><tmpl_var name="html" escape="html"></textarea>
<input type="submit" />
</form>

<hr />
<p><tmpl_var name="html"></p>

</body>
</html>
[download]

jeffa

L-LL-L--L-LL-L--L-LL-L--
-R--R-RR-R--R-RR-R--R-RR
B--B--B--B--B--B--B--B--
H---H---H---H---H---H---
(the triplet paradiddle with high-hat)

BTW, this is one of the main reasons why I encourage the use of CGI.pm for producing HTML output (not just for interpretting CGI parameters). Just in the code for PerlMonks, quite a large number of bugs can be blamed on not using CGI.pm (I've seen many introduced when code was converted to not use CGI.pm, I've seen many fixed when code was converted to use CGI.pm, and there are at least a few still present that I hope to fix by using CGI.pm).

Not that CGI.pm's generation of HTML is perfect. Having radio_group() call escapeHTML() on the labels is simply a mistake and I'm not a big fan of what end_form() does. And the most common mistake I see made is people not specifying force=>1 when they should.

But I suspect that you've only noticed this bug in one place and that you likely have the same bug in several other places. And knowing how to escape a value in some parts of HTML can be rather tricky. But the biggest problem appears to me to be that people simply don't think about having to escape values and just include them unchanged into their HTML and that often works (and sometimes you should not escape things). So I consider generating HTML with CGI.pm to be a good habit (in situations where a better habit isn't being used).