Re: A critique of cgi.escape
- From: Jon Ribbens <jon+usenet@xxxxxxxxxxxxxxxxx>
- Date: 24 Sep 2006 02:28:17 GMT
In article <mailman.499.1159035571.10491.python-list@xxxxxxxxxx>, Fredrik Lundh wrote:
Lawrence D'Oliveiro wrote:
So I think the default for the second argument to cgi.escape should be
changed to True. Or alternatively, the second argument should be removed
altogether, and quotes should always be escaped.
you're confused: cgi.escape(s) is designed to be used for ordinary text,
cgi.escape(s, True) is designed for attributes. if you use the code the
way it's intended to be used, it works perfectly fine.
He's not confused, he's correct; the author of cgi.escape is the
confused one. The optional extra parameter is completely unnecessary
and achieves nothing except to make it easier for people to end up
with bugs in their code.
Making cgi.escape always escape the '"' character would not break
anything, and would probably fix a few bugs in existing code. Yes,
those bugs are not cgi.escape's fault, but that's no reason not to
be helpful. It's a minor improvement with no downside.
One thing that is flat-out wrong, by the way, is that cgi.escape()
does not encode the apostrophe (') character. This is essentially
identical to the quote character in HTML, so any code which escaping
one should always be escaping the other.
.
- Follow-Ups:
- Re: A critique of cgi.escape
- From: Fredrik Lundh
- Re: A critique of cgi.escape
- From: Lawrence D'Oliveiro
- Re: A critique of cgi.escape
- References:
- A critique of cgi.escape
- From: Lawrence D'Oliveiro
- Re: A critique of cgi.escape
- From: Fredrik Lundh
- A critique of cgi.escape
- Prev by Date: Re: HTTP GET Explodes...
- Next by Date: Re: HTTP GET Explodes...
- Previous by thread: Re: A critique of cgi.escape
- Next by thread: Re: A critique of cgi.escape
- Index(es):
Relevant Pages
|
