A critique of cgi.escape

[Lawrence D'Oliveiro]

How exactly would you make s = s.replace('"',""") faster than
*not* doing the replacement?

Wrong answer. Correctness comes first, then we worry about efficiency.

 

[Lawrence D'Oliveiro]

FWIW, a *lot* of unit tests on *my* generated html code would break...

Why did you write your code that way?

 

[Georg Brandl]

I don't have to be. Whoever the designer was, they had not properly thought
through the uses of this function. That's quite obvious already, to anybody
who works with HTML a lot. So the function is broken and needs to be fixed.

If you're worried about changing the semantics of a function that keeps the
same "cgi.escape" name, then fine. We delete the existing function and add
a new, properly-designed one. _That_ will be a wake-up call to all the
users of the existing function to fix their code.

What about the users who don't need to "fix" their code since it's working fine
and flawlessly with the current cgi.escape?

Georg

 

[Georg Brandl]

I'm not surprised. Disappointed, yes. Verging on disgust at some comments in
this thread, yes. But "surprised" is what a lot of users of the existing
cgi.escape function are going to be when they discover their code isn't
doing what they thought it was.

Why should they be surprised? The documentation states clearly what cgi.escape()
does (as does the docstring).

Georg

 

[Lawrence D'Oliveiro]

Why should they be surprised? The documentation states clearly what
cgi.escape() does (as does the docstring).

Documentation frequently states stupid things. Doesn't mean it should be
treated as sacrosanct.

 

[Lawrence D'Oliveiro]

What about the users who don't need to "fix" their code since it's working
fine and flawlessly with the current cgi.escape?

They're just lucky. I guess, that the bugs haven't bitten them--yet.

 

[Max M]

Lawrence D'Oliveiro skrev:

Why did you write your code that way?

Stop feeding the troll.

 

[Jon Ribbens]

I generally find that Fredrik's rudeness quotient is satisfactorily
biased towards discouraging ill-informed comment.

It's a pity he's being rude when presented with well-informed comment
then.

As far as rudeness goes, I've found your approach to this discussion
to be pretty obnoxious, and I'm generally know as someone with a
high tolerance for idiotic behaviour.

Why do you say that? I have confined myself to simple logical
arguments, and been frankly very restrained when presented with
rudeness and misunderstanding from other thread participants.
In what way should I have modified my postings?

 

[Georg Brandl]

Documentation frequently states stupid things. Doesn't mean it should be
treated as sacrosanct.

That's not the point. The point is that someone using cgi.escape() will hardly
be surprised of what it does and doesn't do.

Georg

 

[Jim]

You're right - I've never seen anyone do such a thing. It sounds like
a highly dubious and very fragile sort of test to me, of very limited
use.

I have code that checks to see if my CGI scripts generate the pages
that I expect. That code would break. (Whether I should not have
written them that way is a different point, but it would break.)

Jim

 

[Lawrence D'Oliveiro]

That's not the point. The point is that someone using cgi.escape() will
hardly be surprised of what it does and doesn't do.

And this surprise, or lack of it, is relevant to the argument how, exactly?

 

[Steve Holden]

It's a pity he's being rude when presented with well-informed comment
then.




Why do you say that? I have confined myself to simple logical
arguments, and been frankly very restrained when presented with
rudeness and misunderstanding from other thread participants.
In what way should I have modified my postings?

Please allow me to apologise. I have clearly been confusing you with
someone else. A review of your contributions to the thread confirms your
asertion.

regards
Steve

 

[Sion Arrowsmith]

You're right - I've never seen anyone do such a thing. It sounds like
a highly dubious and very fragile sort of test to me, of very limited
use.

So what sort of test would you use, that doesn't involve comparing
actual output against expected output?

 

[Christophe]

Sion Arrowsmith a écrit :

So what sort of test would you use, that doesn't involve comparing
actual output against expected output?

Well, one could say that the expected output is the one as it'll be
interpreted by the HTLM navigator. And thus, the test should un HTLM
escape the string and compare it to the original string instead of
mandating a specific encoding.

 

[Jon Ribbens]

Please allow me to apologise. I have clearly been confusing you with
someone else. A review of your contributions to the thread confirms your
asertion.

Oh, ok! You had me worried for a minute there ;-)

 

[Fredrik Lundh]

This has nothing to do with character encodings.

it has *everything* to do with encoding of existing data into HTML so it can be
safely transported to, and recreated by, an HTML-aware client.

does the word "information set" mean anything to you?

</F>

 

[Steve Holden]

And this surprise, or lack of it, is relevant to the argument how, exactly?

Is there *any* branch of this thread that won't end with some snippy
remark from you?

 

[Fredrik Lundh]

What you're doing is adding to the reasons why the existing cgi.escape
function is stupidly designed and implemented. The True case is by far the
most common

really? most HTML attributes cannot even contain things that would need to
be escaped, while *all* element content needs escaping. and the web contains
a lot of element content, as should be obvious to anyone who's been there...

</F>

 

[Georg Brandl]

And this surprise, or lack of it, is relevant to the argument how, exactly?

Which argument? You said users were going to be surprised, I told you why they
aren't.

Georg

(Okay, this is my last posting to this thread)

 

[Fredrik Lundh]

It says "to HTML-safe sequences". That's reasonably clear without the need
to reproduce the exact replacements for each character.

the same documentation tells people what function to use if they want to quote *every-
thing* that might need to be quoted, so if people did actually understand everything that
was written in a reasonably clear way, this thread wouldn't even exist.

</F>