Consider this TH1 snippet in the Header, Footer, CSS or Javascript part of a skin template:
<verbatim>
<th1>
puts "puts: &<>\"'"
html "\nhtml: &<>\"'"
puts [ htmlize "\nputs\[htmlize\]: &<>\"'" ]
set test "&<>\"'"
</th1>
Outside TH1 block: test = $test
</verbatim>
Output:
<verbatim>
puts: &<>"'
html: &<>"'
puts[htmlize]: &amp;&lt;&gt;&quot;&#39;
Outside TH1 block: test = &<>"'
</verbatim>
It seems that <code>puts</code> already does what I would expect <code>html</code> to do, while the latter seems to work more like a bare-metal print function. Consequently, the results of <code><nowiki>puts[htmlize]</nowiki></code> are double-HTMLized.
The document [https://fossil-scm.org/index.html/doc/trunk/www/th1.md |The TH1 Scripting Language] states:
* <code>puts STRING</code>: Outputs the STRING unchanged.
* <code>html STRING</code>: Outputs the STRING escaped for HTML.
* <code>htmlize STRING</code>: Escape all characters of STRING which have special meaning in HTML. Returns the escaped string.
I must admit I don't understand this behavior, somehow. Is it possible that the code in the underlying scripting engine for <code>puts</code> and <code>html</code> was exchanged by mistake?
However, as several skin templates seem to rely on <code>html</code>, changing this may require a lot of careful testing.
TH1 variables in skin templates seem to be used mostly to construct hyperlinks, and the standards seem to allow both non-HTMLized and HTMLized forms:
<verbatim>
<a href="url¶m">
<a href="url&param">
</verbatim>
<verbatim>
<script> console.log("url¶m"); /* → url¶m */ </script>
<script> console.log("url&param"); /* → url&param */ </script>
</verbatim>
Problems might occur with string variables containing quotation marks, but this doesn't seem to be a common case.