In article <[EMAIL PROTECTED]>, Fredrik Lundh wrote: > Lawrence D'Oliveiro wrote: >> So I think the default for the second argument to cgi.escape should be >> changed to True. Or alternatively, the second argument should be removed >> altogether, and quotes should always be escaped. > > you're confused: cgi.escape(s) is designed to be used for ordinary text, > cgi.escape(s, True) is designed for attributes. if you use the code the > way it's intended to be used, it works perfectly fine.
He's not confused, he's correct; the author of cgi.escape is the confused one. The optional extra parameter is completely unnecessary and achieves nothing except to make it easier for people to end up with bugs in their code. Making cgi.escape always escape the '"' character would not break anything, and would probably fix a few bugs in existing code. Yes, those bugs are not cgi.escape's fault, but that's no reason not to be helpful. It's a minor improvement with no downside. One thing that is flat-out wrong, by the way, is that cgi.escape() does not encode the apostrophe (') character. This is essentially identical to the quote character in HTML, so any code which escaping one should always be escaping the other. -- http://mail.python.org/mailman/listinfo/python-list