Hash sign inside string value that includes quotes interpreted as comment #426
Description
When a string value is contains parts enclosed in quotes (e.g.: a XML tag with attributes), if the quoted part contains a '#', it can be considered as a comment. since the rest of the line is ignored, including other quotes, the value may be incomplete in multi line strings. if all is on one line the whole decoding may fail.
import toml
import tomllib
print( toml.loads("""key = "'''before hash # after hash'''" """))
print(tomllib.loads("""key = "'''before hash # after hash'''" """))
print( toml.loads("""key = '''"before hash # after hash"'''"""))
print(tomllib.loads("""key = '''"before hash # after hash"'''"""))
print( toml.loads("""key = ''''before hash # after hash''''"""))
print(tomllib.loads("""key = ''''before hash # after hash''''"""))
output:
{'key': "'''before hash # after hash'''"}
{'key': "'''before hash # after hash'''"}
{'key': '"before hash # after hash"'}
{'key': '"before hash # after hash"'}
{}
{'key': "'before hash # after hash'"}
The case that let me discover this was storing a svg fragment:
import toml
src='''key = """
<mask id="b">
<g filter="url(#a)">
<rect fill-opacity="0.104" height="128" width="128"/>
</g>
</mask>
"""
'''
print(toml.loads(src))
print(tomllib.loads(src))
output:
{'key': '<mask id="b">\n <g filter="url( \n <rect fill-opacity="0.104" height="128" width="128"/>\n </g>\n </mask>\n'}
{'key': '<mask id="b">\n <g filter="url(#a)">\n <rect fill-opacity="0.104" height="128" width="128"/>\n </g>\n </mask>\n'}