Completely fix bug #721 by using attrEscape instead of cgi.escape for

dynamic attribute values as well as static values.

doc/CHANGES.txt

@@ -8,6 +8,9 @@ Zope Changes
 
     Bugs fixed
 
+     - Collector #721: Entities in tal:attribute values weren't
+       properly escaped.
+
      - Collector #851: Traversable.py: A bare try..except shadowed
        conflict errors
 

lib/python/TAL/TALInterpreter.py

@@ -24,7 +24,7 @@ from cgi import escape
 from StringIO import StringIO
 from DocumentTemplate.DT_Util import ustr
 
-from TALDefs import TAL_VERSION, TALError, METALError
+from TALDefs import TAL_VERSION, TALError, METALError, attrEscape
 from TALDefs import isCurrentVersion, getProgramVersion, getProgramMode
 from TALGenerator import TALGenerator
 from TranslationContext import TranslationContext
@@ -336,7 +336,7 @@ class TALInterpreter:
         if value is None:
             value = name
         else:
-            value = '%s="%s"' % (name, escape(value, 1))
+            value = '%s="%s"' % (name, attrEscape(value))
         return 1, name, value
 
     def attrAction_tal(self, item):
@@ -369,7 +369,7 @@ class TALInterpreter:
                     value = translated
             if value is None:
                 value = name
-            value = '%s="%s"' % (name, escape(value, 1))
+            value = '%s="%s"' % (name, attrEscape(value))
         return ok, name, value
     bytecode_handlers["<attrAction>"] = attrAction
 

lib/python/TAL/tests/test_talinterpreter.py

@@ -221,7 +221,7 @@ class OutputPresentationTestCase(TestCaseBase):
         self.compare(INPUT, EXPECTED)
 
     def check_entities(self):
-        INPUT = ('<img tal:define="foo nothing" '
+        INPUT = ('<img tal:attributes="alt default" '
                  'alt="&a; &#1; &#x0a; &a &#45 &; &#0a; <>" />')
         EXPECTED = ('<img alt="&a; &#1; &#x0a; '
                     '&amp;a &amp;#45 &amp;; &amp;#0a; &lt;&gt;" />\n')