A critique of cgi.escape
duncan.booth at invalid.invalid
Wed Sep 27 11:47:25 CEST 2006
Brian Quinlan <brian at sweetapp.com> wrote:
> Actually, I wasn't kidding. I was basing this belief on greping through
> the Python standard library where only the quote=None form is ever used.
> It also matches my experience. But I don't have a large enough sample to
> make any claim either way.
A better sample might be to grep the Zope sources. There are a lot of calls
to escape and the vast majority don't set the quote parameter, but most use
of escape is actually hidden by the templating system. The TAL engine uses
escape(s,1) for attribute values and escape(text) for content, so you get
the best of both worlds: you don't have to think about which form of escape
you need (or even that you need to escape strings at all), and you don't
get quotes escaped when they don't have to be.
More information about the Python-list