A critique of cgi.escape
Lawrence D'Oliveiro
ldo at geek-central.gen.new_zealand
Mon Sep 25 23:48:16 EDT 2006
In message <mailman.579.1159199258.10491.python-list at python.org>, Fredrik
Lundh wrote:
> In article <ef8oqr$9pt$1 at news.albasani.net>, Georg Brandl wrote:
>>> I'm sorry, that's not good enough. How, precisely, would it break
>>> "existing code"? Can you come up with an example, or even an
>>> explanation of how it could break existing code?
>>
>> Is that so hard to see? If cgi.escape replaced "'" with an entity
>> reference, code that expects it not to do so would break.
>
> Sorry, that's still not good enough. Why would any code expect such a
> thing?
>>
> that's not up to you to decide, though.
Yes it is. An HTML-quoting function converts a string to its HTML-compatible
representation. Since it is now HTML-compatible, any code that tries to
work with it afterwards has got to expect it to be HTML-compatible. Which
means it has to allow for what HTML allows.
More information about the Python-list
mailing list