A critique of cgi.escape

Max M maxm at mxm.dk
Mon Sep 25 16:48:03 CEST 2006

Jon Ribbens skrev:
> In article <mailman.569.1159192888.10491.python-list at python.org>, Fredrik Lundh wrote:
>>> There's nothing to say that cgi.escape should take them both into account
>>> in the one function
>> so what exactly are you using cgi.escape for in your code ?
> To escape characters so that they will be treated as character data
> and not control characters in HTML.
>>> What precisely do you think it would "break"?
>> existing code, and existing tests.
> I'm sorry, that's not good enough. How, precisely, would it break
> "existing code"? Can you come up with an example, or even an
> explanation of how it *could* break existing code?

Some examples are:

- Possibly any code that tests for string equality in a rendered 
html/xml page. Testing is a prefered development tool these days.

- Code that generates cgi.escaped() markup and (rightfully) for some 
reason expects the old behaviour to be used.

- 3. party code that parses/scrapes content from cgi.escaped() markup. 
(you could even break Java code this way :-s )

Any change in Python that has these consequences will rightfully be 
considered a bug. So what you are suggesting is to knowingly introduce a 
bug in the standard library!

You are right that the html generated by cgi.escape() would (probably) 
have the same visual appearence in the browsers. But that is a *very* 
narrow definition of being bug free and not breaking stuff.

If you cannot think of other examples for yourself where your change 
would introduce breakage, you are certainly not an experienced enough 
programmer to suggest changes in the standard lib!

Max M

More information about the Python-list mailing list