More on HTML and URL Escapes

Perhaps the most subtle change in the last section’s rewrite is that, for robustness, this version also calls cgi.escape for the language name, not just for the language’s code snippet. It’s unlikely but not impossible that someone could pass the script a language name with an embedded HTML character. For example, a URL like:<b

embeds a < in the language name parameter (the name is a<b). When submitted, this version uses cgi.escape to properly translate the < for use in the reply HTML, according to the standard HTML escape conventions discussed earlier:


Sorry--I don't know that language

The original version doesn’t escape the language name, such that the embedded <b is interpreted as an HTML tag (which may make the rest of the page render in bold font!). As you can probably tell by now, text escapes are pervasive in CGI scripting -- even text that you may think is safe must generally be escaped before being inserted into the HTML code in the reply stream.

URL Escape Code Conventions

Notice, though, that while it’s wrong to embed an unescaped < in the HTML code reply, it’s perfectly okay to include it literally in the earlier URL string used to trigger the reply. In fact, HTML and URLs define completely different characters as special. For instance, although & must be escaped as &amp inside HTML ...

Get Programming Python, Second Edition now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.