[Web-SIG] htmlgen
A.M. Kuchling
amk at amk.ca
Wed Oct 29 21:48:07 EST 2003
On Wednesday, October 29, 2003, at 04:29 PM, Ian Bicking wrote:
> Quixote's PTL has some stuff related to this as well (at least related
> to quoting), but I don't remember much about it.
http://www.mems-exchange.org/software/quixote/doc/PTL.html is the
relevant documentation.
Basically, the 'htmltext' data type behaves like a string. In
operations involving both htmltext and regular strings, the regular
string is coerced to htmltext; coercing a string to htmltext involves
quoting HTML/XML special characters. For example:
>>> from quixote import html
>>> html.htmltext('abc')
<htmltext 'abc'>
>>> h = html.htmltext
>>> h('<title>%s</title>') % 'Magic chars: <, >, &'
<htmltext '<title>Magic chars: <, >, &</title>'>
>>> h('abc') + '&'
<htmltext 'abc&'>
If a templating package uses htmltext for portions of the template that
were known to be trusted, then you don't have to remember to pass
untrusted data from the browser through cgi,escape() or some
equivalent; the coercion handles it for you, thus closing one source of
security holes.
Quixote's PTL then layers some compiler magic on top of this so you
don't have htmltext() constructors all over the place, but you don't
need to buy into PTL to use htmltext. Adding it to the stdlib might
not be a bad idea.
--amk
More information about the Web-SIG
mailing list