A critique of cgi.escape

Lawrence D'Oliveiro ldo at geek-central.gen.new_zealand
Sun Sep 24 06:49:22 CEST 2006

In message <slrnehbra1.kpr.jon+usenet at snowy.squish.net>, Jon Ribbens wrote:

> In article <mailman.499.1159035571.10491.python-list at python.org>, Fredrik
> Lundh wrote:
>> Lawrence D'Oliveiro wrote:
>>> So I think the default for the second argument to cgi.escape should be
>>> changed to True. Or alternatively, the second argument should be removed
>>> altogether, and quotes should always be escaped.
>> you're confused: cgi.escape(s) is designed to be used for ordinary text,
>> cgi.escape(s, True) is designed for attributes.  if you use the code the
>> way it's intended to be used, it works perfectly fine.
> He's not confused, he's correct; the author of cgi.escape is the
> confused one.

Thanks for backing me up. :)

> > One thing that is flat-out wrong, by the way, is that cgi.escape() 
> does not encode the apostrophe (') character. This is essentially
> identical to the quote character in HTML, so any code which escaping
> one should always be escaping the other.

I must confess I did a double-take on this. But I rechecked the HTML spec
(HTML 4.0, section 3.2.2, "Attributes"), and you're right--single quotes
ARE allowed as an alternative to double quotes. It's just I've never used
them as quotes. :)

More information about the Python-list mailing list