A critique of cgi.escape

Lawrence D'Oliveiro ldo at geek-central.gen.new_zealand
Tue Sep 26 05:48:16 CEST 2006

In message <mailman.579.1159199258.10491.python-list at python.org>, Fredrik
Lundh wrote:

> In article <ef8oqr$9pt$1 at news.albasani.net>, Georg Brandl wrote:
>>> I'm sorry, that's not good enough. How, precisely, would it break
>>> "existing code"? Can you come up with an example, or even an
>>> explanation of how it could break existing code?
>> Is that so hard to see? If cgi.escape replaced "'" with an entity
>> reference, code that expects it not to do so would break.
> Sorry, that's still not good enough. Why would any code expect such a
> thing?
> that's not up to you to decide, though.

Yes it is. An HTML-quoting function converts a string to its HTML-compatible
representation. Since it is now HTML-compatible, any code that tries to
work with it afterwards has got to expect it to be HTML-compatible. Which
means it has to allow for what HTML allows.

More information about the Python-list mailing list