Quixote 0.6 released
Andrew Kuchling
akuchlin@mems-exchange.org
Fri, 09 May 2003 15:18:02 -0400
We've just issued the final release of Quixote 0.6. With this
release, 0.6 becomes the new stable version of Quixote; it has already
seen production use on our web site.
The change list from 0.5.1 is extensive:
* A new and preferred syntax for declaring PTL templates has been added.
Instead of 'template func(): ...', the new form is 'def func [plain] ()'.
This uses a notation that's been suggested for adding type
information to Python functions. The Emacs Python mode already handles
this properly, and it may be more compatible with future versions of
Python.
The 'template' keyword is still supported, but we encourage you
to switch to the new syntax when you get a chance.
* Rename _q_getname() to _q_lookup(). The name '_q_getname' is still
supported, but will log a warning whenever it's encountered.
This change will require users to modify their applications.
* Quixote now supports a new kind of template that automatically performs
HTML escaping. Here's an example. (Notice that the '[plain]'
annotation is changed to '[html]' to enable this feature.)
def header [html] (title):
"<title>%s</title>" % title
If the 'title' argument is something like "R&D", it will
automatically be converted to "R&D" following the rules
for escaping HTML special characters. The aim is to avoid cross-site
scripting attacks by automatically quoting unsafe characters in text.
See http://www.mems-exchange.org/software/quixote/doc/PTL.html for
more information about how this works.
This escaping is implemented using either a Python 'htmltext'
class or a C implementation. Both implementations have seen
production use on our web site.
* The form framework now uses this automatic HTML escaping. This
means that applications using the form framework will have
to either be changed to use automatic HTML escaping themselves,
or to use str() to convert 'htmltext' instances back to Python
strings.
As part of this change, form/form.py and form/form_templates.ptl
were merged into form/form.py.
See http://www.mems-exchange.org/software/quixote/doc/upgrading.html
for more information.
* Added a new hook, _q_resolve(), that can be used to delay
importing modules until they're actually accessed. Consult
doc/programming.txt for an explanation. (Original
suggestion and patch by Jon Corbet. In the process of adding it,
Publisher.get_component() was rearranged to clarify the logic.)
Smaller changes:
* Make Quixote a bit more friendly to multi-threaded applications
by allowing multiple simultaneous requests (patch by Titus Brown).
* Make util.xmlrpc() return an HTTP 405 Method Not Allowed error
if the method isn't a POST.
* Added demo/run_cgi.py, a script that makes it easy to write one
file CGI applications that use Quixote. See the comments at the
top of the demo/run_cgi.py file for instructions.
* Added StaticFile and StaticDirectory classes to quixote.util.
Consult doc/static-files.txt for examples. (Contributed and
documented by Hamish Lawson.)
* Added quixote.server.twisted_http, which serves a Quixote application
using the Twisted event-driven framework (www.twistedmatrix.com).
Contributed by Graham Fawcett. We don't use this code ourselves,
but patches and bug fixes from Twisted users will be gratefully
accepted.
* If Quixote looks for _q_index() in a namespace and doesn't find
it, it raises AccessError (resulting in an HTTP 403 Forbidden error)
rather than failing with an ImportError. A minor side effect of
this change: Quixote will never attempt to import a module named
'_q_index', nor will it pass '_q_index' to any _q_resolve() function.
We don't expect this to be a backward compatibility problem .
* Factored out the traverse_url() and get_component() method
from the Publisher class.
* Fix generation of temporary filenames in upload.py: filename
collisions should be impossible now.
* Documented _q_exception_handler().
Please send comments and questions to c.l.python or to the
quixote-users mailing list.
--amk (www.amk.ca)
"Amberley excelled at chess -- one mark, Watson, of a scheming mind."
-- Sherlock Holmes, in "The Adventure of the Retired Colourman"