Quixote 0.6 released

Andrew Kuchling akuchlin@mems-exchange.org
Fri, 09 May 2003 15:18:02 -0400 

We've just issued the final release of Quixote 0.6.  With this
release, 0.6 becomes the new stable version of Quixote; it has already
seen production use on our web site.

The change list from 0.5.1 is extensive:

  * A new and preferred syntax for declaring PTL templates has been added.
    Instead of 'template func(): ...', the new form is 'def func [plain] ()'.
    This uses a notation that's been suggested for adding type
    information to Python functions.  The Emacs Python mode already handles 
    this properly, and it may be more compatible with future versions of 
    Python.

    The 'template' keyword is still supported, but we encourage you 
    to switch to the new syntax when you get a chance.

  * Rename _q_getname() to _q_lookup().  The name '_q_getname' is still
    supported, but will log a warning whenever it's encountered.
    This change will require users to modify their applications.

  * Quixote now supports a new kind of template that automatically performs
    HTML escaping.  Here's an example.  (Notice that the '[plain]'
    annotation is changed to '[html]' to enable this feature.)

        def header [html] (title):
            "<title>%s</title>" % title

    If the 'title' argument is something like "R&D", it will    
    automatically be converted to "R&amp;D" following the rules 
    for escaping HTML special characters.  The aim is to avoid cross-site 
    scripting attacks by automatically quoting unsafe characters in text.

    See http://www.mems-exchange.org/software/quixote/doc/PTL.html for
    more information about how this works.

    This escaping is implemented using either a Python 'htmltext'
    class or a C implementation.  Both implementations have seen
    production use on our web site.

  * The form framework now uses this automatic HTML escaping.  This
    means that applications using the form framework will have 
    to either be changed to use automatic HTML escaping themselves, 
    or to use str() to convert 'htmltext' instances back to Python
    strings.

    As part of this change, form/form.py and form/form_templates.ptl 
    were merged into form/form.py.

    See http://www.mems-exchange.org/software/quixote/doc/upgrading.html 
    for more information.

  * Added a new hook, _q_resolve(), that can be used to delay 
    importing modules until they're actually accessed.  Consult
    doc/programming.txt for an explanation.  (Original
    suggestion and patch by Jon Corbet.  In the process of adding it,
    Publisher.get_component() was rearranged to clarify the logic.)

Smaller changes:

  * Make Quixote a bit more friendly to multi-threaded applications
    by allowing multiple simultaneous requests (patch by Titus Brown).

  * Make util.xmlrpc() return an HTTP 405 Method Not Allowed error
    if the method isn't a POST.

  * Added demo/run_cgi.py, a script that makes it easy to write one
    file CGI applications that use Quixote.  See the comments at the 
    top of the demo/run_cgi.py file for instructions.

  * Added StaticFile and StaticDirectory classes to quixote.util.
    Consult doc/static-files.txt for examples.  (Contributed and
    documented by Hamish Lawson.)

  * Added quixote.server.twisted_http, which serves a Quixote application
    using the Twisted event-driven framework (www.twistedmatrix.com).

    Contributed by Graham Fawcett.  We don't use this code ourselves,
    but patches and bug fixes from Twisted users will be gratefully
    accepted.

  * If Quixote looks for _q_index() in a namespace and doesn't find
    it, it raises AccessError (resulting in an HTTP 403 Forbidden error)
    rather than failing with an ImportError.  A minor side effect of
    this change: Quixote will never attempt to import a module named
    '_q_index', nor will it pass '_q_index' to any _q_resolve() function.
    We don't expect this to be a backward compatibility problem .

  * Factored out the traverse_url() and get_component() method 
    from the Publisher class.  

  * Fix generation of temporary filenames in upload.py: filename
    collisions should be impossible now.

  * Documented _q_exception_handler().

Please send comments and questions to c.l.python or to the
quixote-users mailing list.

--amk                                                    (www.amk.ca)
"Amberley excelled at chess -- one mark, Watson, of a scheming mind."
      -- Sherlock Holmes, in "The Adventure of the Retired Colourman"