A critique of cgi.escape
Duncan Booth
duncan.booth at invalid.invalid
Thu Sep 28 04:07:30 EDT 2006
Lawrence D'Oliveiro <ldo at geek-central.gen.new_zealand> wrote:
>> Also, because Python has a
>> conservative policy on backwards incompatible changes, you are protected
>> from some wanker going and changing the HTML safe mappings arbitrarily,
>> say using numerical entity references instead of >, < and &.
>
> Why would that be wrong? It would still be consistent with the
> documentation.
>
It would be wrong as he said because "Python has a conservative policy on
backwards incompatible changes". In general (although they may not always
succeed) Python's core developers try not to change functionality even when
that functionality isn't clearly documented. Rather if it becomes an issue
they would prefer to clarify the documentation.
Yes, there is a downside to this: a lot of the Python standard libraries
aren't as good as they could be if incompatible changes were allowed, but
it does reduce maintenance headaches.
The solution is usually that when the standard api is insufficient you wrap
it in something else. cgi.escape is a good example: most people writing web
applications never call it directly because they produce their html output
using a templating language which does all the necessary quoting for them
automatically (e.g. Zope's tal language). If you use tal then you have zero
chance of forgetting to use "e; in a situation where it is required,
but an incompatible change to cgi.escape could still break your existing
code.
More information about the Python-list
mailing list