A critique of cgi.escape

Duncan Booth duncan.booth at invalid.invalid
Thu Sep 28 10:07:30 CEST 2006


Lawrence D'Oliveiro <ldo at geek-central.gen.new_zealand> wrote:

>> Also, because Python has a 
>> conservative policy on backwards incompatible changes, you are protected
>> from some wanker going and changing the HTML safe mappings arbitrarily,
>> say using numerical entity references instead of >, < and &.
> 
> Why would that be wrong? It would still be consistent with the
> documentation.
> 
It would be wrong as he said because "Python has a conservative policy on 
backwards incompatible changes". In general (although they may not always 
succeed) Python's core developers try not to change functionality even when 
that functionality isn't clearly documented. Rather if it becomes an issue 
they would prefer to clarify the documentation.

Yes, there is a downside to this: a lot of the Python standard libraries 
aren't as good as they could be if incompatible changes were allowed, but 
it does reduce maintenance headaches.

The solution is usually that when the standard api is insufficient you wrap 
it in something else. cgi.escape is a good example: most people writing web 
applications never call it directly because they produce their html output 
using a templating language which does all the necessary quoting for them 
automatically (e.g. Zope's tal language). If you use tal then you have zero 
chance of forgetting to use "e; in a situation where it is required, 
but an incompatible change to cgi.escape could still break your existing 
code.



More information about the Python-list mailing list