[Web-SIG] htmlgen

A.M. Kuchling amk at amk.ca
Wed Oct 29 21:48:07 EST 2003

On Wednesday, October 29, 2003, at 04:29  PM, Ian Bicking wrote:
> Quixote's PTL has some stuff related to this as well (at least related 
> to quoting), but I don't remember much about it.

http://www.mems-exchange.org/software/quixote/doc/PTL.html is the 
relevant documentation.

Basically, the 'htmltext' data type behaves like a string.  In 
operations involving both htmltext and regular strings, the regular 
string is coerced to htmltext; coercing a string to htmltext involves 
quoting HTML/XML special characters.  For example:

 >>> from quixote import html
 >>> html.htmltext('abc')
<htmltext 'abc'>
 >>> h = html.htmltext
 >>> h('<title>%s</title>') % 'Magic chars: <, >, &'
<htmltext '<title>Magic chars: &lt;, &gt;, &amp;</title>'>
 >>> h('abc') + '&'
<htmltext 'abc&amp;'>

If a templating package uses htmltext for portions of the template that 
were known to be trusted, then you don't have to remember to pass 
untrusted data from the browser through cgi,escape() or some 
equivalent; the coercion handles it for you, thus closing one source of 
security holes.

Quixote's PTL then layers some compiler magic on top of this so you 
don't have htmltext() constructors all over the place, but you don't 
need to buy into PTL to use htmltext.  Adding it to the stdlib might 
not be a bad idea.


More information about the Web-SIG mailing list