A critique of cgi.escape
ldo at geek-central.gen.new_zealand
Sun Sep 24 06:49:22 CEST 2006
In message <slrnehbra1.kpr.jon+usenet at snowy.squish.net>, Jon Ribbens wrote:
> In article <mailman.499.1159035571.10491.python-list at python.org>, Fredrik
> Lundh wrote:
>> Lawrence D'Oliveiro wrote:
>>> So I think the default for the second argument to cgi.escape should be
>>> changed to True. Or alternatively, the second argument should be removed
>>> altogether, and quotes should always be escaped.
>> you're confused: cgi.escape(s) is designed to be used for ordinary text,
>> cgi.escape(s, True) is designed for attributes. if you use the code the
>> way it's intended to be used, it works perfectly fine.
> He's not confused, he's correct; the author of cgi.escape is the
> confused one.
Thanks for backing me up. :)
> > One thing that is flat-out wrong, by the way, is that cgi.escape()
> does not encode the apostrophe (') character. This is essentially
> identical to the quote character in HTML, so any code which escaping
> one should always be escaping the other.
I must confess I did a double-take on this. But I rechecked the HTML spec
(HTML 4.0, section 3.2.2, "Attributes"), and you're right--single quotes
ARE allowed as an alternative to double quotes. It's just I've never used
them as quotes. :)
More information about the Python-list