A critique of cgi.escape
John Bokma
john at castleamber.com
Tue Sep 26 19:18:14 EDT 2006
Brian Quinlan <brian at sweetapp.com> wrote:
> A summary of this pointless argument:
>
> Why cgi.escape should be changed to escape double quote (and maybe
> single quote) characters by default:
> o escaping should be very aggressive by default to avoid subtle bugs
> o over-escaping is not likely to harm most program significantly
> o people who do not read the documentation may be surprised by it's
> behavior
>
> Why cgi.escape should NOT be changed:
> o it is current used in lots of code and changing it will almost
> certainly break some of it, test suites at minimum e.g.
> assert my_template_system("<p>{foo}</p>", foo='"') == '<p>"</p>'
You must be kidding.
> o escaping attribute values is less common than escaping element
> text
Again, you must be kidding: href="/search.cgi?query=3&results=10"
--
John MexIT: http://johnbokma.com/mexit/
personal page: http://johnbokma.com/
Experienced programmer available: http://castleamber.com/
Happy Customers: http://castleamber.com/testimonials.html
More information about the Python-list
mailing list