[issue26585] Use html.escape to replace _quote_html in http.server
Martin Panter
report at bugs.python.org
Fri Mar 18 18:32:17 EDT 2016
Martin Panter added the comment:
Thanks for the tests. I left a couple comments.
About encoding quotes: Personally I don’t see much value unless you are encoding an attribute value, in which case I would prefer to use xml.sax.saxutils.quoteattr(). Encoded quotes would only become useful if the “error_message_format” attribute was modified.
A more practical downside is that if “error_content_type” is set to say text/plain, we are adding two somewhat common characters that will get messed up. E.g. the “explain” string for 429 Too Many Requests will include the double-quoted "rate limiting". And an apostrophe could easily be given in a custom error message, e.g. “Can't write a clean error message”.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue26585>
_______________________________________
More information about the Python-bugs-list
mailing list