对cgi.escape的批评 [英] A critique of cgi.escape
问题描述
逃避功能在cgi中模块在HTML中以特殊的
含义转义字符。那些需要转义的是''<'',''&'和''''''''。
但是,如果你通过秒,cgi.escape只会转义引号字符
参数为True(默认值为False):
The "escape" function in the "cgi" module escapes characters with special
meanings in HTML. The ones that need escaping are ''<'', ''&'' and ''"''.
However, cgi.escape only escapes the quote character if you pass a second
argument of True (the default is False):
>> cgi.escape(" \'" quick \"&< brownfox")
>>cgi.escape("the \"quick\" & <brownfox")
''快速' &放大器;放大器; &安培; LT;棕色&安培; GT; fox''
''the "quick" & <brown> fox''
>> cgi.escape(" \" quick \"&< brownfox",True)
>>cgi.escape("the \"quick\" & <brownfox", True)
''& quot; quick& quot; &放大器;放大器; &安培; LT;棕色&安培; GT; fox''
这对我来说似乎是愚蠢的。默认选项应该是安全的:
是,escape _all_潜在的麻烦字符。
唯一一次可以逃脱而不是逃避报价字符是在标记之外,
例如
< TEXTAREA> ;
unescaped" quotes"允许在这里
< / TEXTAREA>
尽管如此,即使在这种情况下,也可以使用转义报价。
所以我认为cgi.escape的第二个参数的默认值应该是
更改为True。或者,第二个参数应该被删除
,并且引号应该总是被转义。
可以更改默认中断现有脚本吗?我怎么也看不到。它可能
甚至修复了一些潜伏的bug。
''the "quick" & <brown> fox''
This seems to me to be dumb. The default option should be the safe one: that
is, escape _all_ the potentially troublesome characters. The only time you
can get away with NOT escaping the quote character is outside of markup,
e.g.
<TEXTAREA>
unescaped "quotes" allowed here
</TEXTAREA>
Nevertheless, even in that situation, escaped quotes are acceptable.
So I think the default for the second argument to cgi.escape should be
changed to True. Or alternatively, the second argument should be removed
altogether, and quotes should always be escaped.
Can changing the default break existing scripts? I don''t see how. It might
even fix a few lurking bugs out there.
推荐答案
Lawrence D''Oliveiro写道:
Lawrence D''Oliveiro wrote:
所以我认为cgi.escape的第二个参数的默认值应该是
更改为True。或者,应该删除第二个参数
,并且应始终转义引号。
So I think the default for the second argument to cgi.escape should be
changed to True. Or alternatively, the second argument should be removed
altogether, and quotes should always be escaped.
你很困惑:cgi.escape(s)设计用于普通文本,
cgi.escape(s ,True)是为属性而设计的。如果您使用的代码是
,它的使用方式非常好。
you''re confused: cgi.escape(s) is designed to be used for ordinary text,
cgi.escape(s, True) is designed for attributes. if you use the code the
way it''s intended to be used, it works perfectly fine.
可以更改默认的中断现有脚本?我怎么也看不到。它甚至可以修复一些潜伏的错误。
Can changing the default break existing scripts? I don''t see how. It might
even fix a few lurking bugs out there.
我不确定这个每次我都不会马上理解的东西,
我会写一个更改提案而不是阅读图书馆参考
方法是健康的,真的。
< / F>
I''m not sure this "every time I don''t immediately understand something,
I''ll write a change proposal instead of reading the library reference"
approach is healthy, really.
</F>
在消息< ma ************************************ **@python.o rg>,Fredrik
Lundh写道:
In message <ma**************************************@python.o rg>, Fredrik
Lundh wrote:
Lawrence D''Oliveiro写道:
Lawrence D''Oliveiro wrote:
>所以我认为cgi.escape的第二个参数的默认值应该是
改为True。或者,应该完全删除第二个参数,并且应始终对引号进行转义。
>So I think the default for the second argument to cgi.escape should be
changed to True. Or alternatively, the second argument should be removed
altogether, and quotes should always be escaped.
你很困惑:cgi.escape(s)旨在用于普通文本,
cgi.escape(s ,True)是为属性而设计的。
you''re confused: cgi.escape(s) is designed to be used for ordinary text,
cgi.escape(s, True) is designed for attributes.
什么适用于属性也适用于普通文本。
What works for attributes also works for ordinary text.
在文章< ma **************************************@python.o rg> ;, Fredrik Lundh写道:
In article <ma**************************************@python.o rg>, Fredrik Lundh wrote:
Lawrence D''Oliveiro写道:
Lawrence D''Oliveiro wrote:
>所以我认为第二个参数的默认值为cgi.escape应该改为True。或者,应该完全删除第二个参数,并且应始终对引号进行转义。
>So I think the default for the second argument to cgi.escape should be
changed to True. Or alternatively, the second argument should be removed
altogether, and quotes should always be escaped.
你很困惑:cgi.escape(s)旨在用于普通文本,
cgi.escape(s ,True)是为属性而设计的。如果您使用的代码是
,那么它的使用方式非常好。
you''re confused: cgi.escape(s) is designed to be used for ordinary text,
cgi.escape(s, True) is designed for attributes. if you use the code the
way it''s intended to be used, it works perfectly fine.
他并不困惑,他是对的; cgi.escape的作者是
混淆了。可选的额外参数是完全没有必要的
并且除了让人们更容易结束代码中的错误之外什么都没有实现。
使cgi.escape总是逃避''''''字符不会破坏
任何东西,并且可能会修复现有代码中的一些错误。是的,
这些错误不是cgi.escape'的错,但是没有理由不给b
提供帮助。这是一个小小的改进,没有任何缺点。
顺便说一下,有一件事是错误的,那就是cgi.escape()
不编码撇号('')字符。这基本上与HTML中的引号字符相同,因此任何逃避
的代码都应该总是逃避另一个。
He''s not confused, he''s correct; the author of cgi.escape is the
confused one. The optional extra parameter is completely unnecessary
and achieves nothing except to make it easier for people to end up
with bugs in their code.
Making cgi.escape always escape the ''"'' character would not break
anything, and would probably fix a few bugs in existing code. Yes,
those bugs are not cgi.escape''s fault, but that''s no reason not to
be helpful. It''s a minor improvement with no downside.
One thing that is flat-out wrong, by the way, is that cgi.escape()
does not encode the apostrophe ('') character. This is essentially
identical to the quote character in HTML, so any code which escaping
one should always be escaping the other.
这篇关于对cgi.escape的批评的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
