EscapingAmpersands.py :  » Web-Frameworks » Aquarium » aquarium-2.3 » aquarium » urlscheme » Python Open Source

Home
Python Open Source
1.3.1.2 Python
2.Ajax
3.Aspect Oriented
4.Blog
5.Build
6.Business Application
7.Chart Report
8.Content Management Systems
9.Cryptographic
10.Database
11.Development
12.Editor
13.Email
14.ERP
15.Game 2D 3D
16.GIS
17.GUI
18.IDE
19.Installer
20.IRC
21.Issue Tracker
22.Language Interface
23.Log
24.Math
25.Media Sound Audio
26.Mobile
27.Network
28.Parser
29.PDF
30.Project Management
31.RSS
32.Search
33.Security
34.Template Engines
35.Test
36.UML
37.USB Serial
38.Web Frameworks
39.Web Server
40.Web Services
41.Web Unit
42.Wiki
43.Windows
44.XML
Python Open Source » Web Frameworks » Aquarium 
Aquarium » aquarium 2.3 » aquarium » urlscheme » EscapingAmpersands.py
"""How to escape &'s in URLs.

Please read about `Ampersands (&'s) in URLs`_.

The short answer is, if you have a URL with more than one parameter, you should
wrap it with ``$htmlent`` when you embed it in HTML if you want to pass DTD
validation.  If you don't care, then it really won't matter.  What follows is
an explanation of why I can't make it any easier on you.

1. You must escape &'s in URLs in order to pass DTD validation.  Per the
   spec, a browser could look at ``http://a.com/?a=b©=2`` and interpret
   the ``©=`` as part of value of the ``a`` variable instead of a new
   variable named ``copy;`` because ``©`` is an HTML entity.

2. To handle #1, Aquarium use to escape the &'s in every URL automatically.

3. However, #2 broke redirects if you redirected to a URL with more than
   one parameter.  I so rarely did this, that I didn't know about the bug for
   a good year.

4. To fix the bug in #3, we came up with a scheme to always escape &'s but deal
   with the redirect case specially.  Now imagine if you create a HTML link
   whose URL has a parameter named referrer that is set to your current URL,
   which itself happens to have two parameters.  When the user clicks on the
   link, Aquarium now has a GET parameter named referrer that is a URL.  The
   programmer can use that URL directly in HTML (in which case the &'s must be
   escaped) or he might redirect to it (in which case the &'s must not be
   escaped).  The programmer is never going to remember whether the URL is
   already escaped (per #3, it already is) and whether he needs to escape it
   for a link or unescape it for a redirect.  His brain would core dump.

When it comes to escaping things, a good general rule is to escape things at
the last possible moment.  By violating this rule, bad things were happening.

5. We could force engineers to wrap every URL in HTML with htmlent, but that
   would suck.  Too much existing code doesn't.

6. Browsers are smart, and most of the time, if you don't escape the &'s, the
   browser won't get confused.  In fact, you can't generate a URL like
   ``http://a.com/?a=b©=2`` with Aquarium anyway, because the ; will
   get urlencoded to ``%3B``.  Hence, it's not possible to get Aquarium to
   generate a URL that would confuse the browser.  Programmers who are worried
   about passing DTD validation and have a URL with more than one parameter
   will just have to use ``$htmlent``.  That's better than forcing every
   programmer to think about the problem every time he generates a URL since,
   practically speaking, the warning is pedantic.

.. _Ampersands (&'s) in URLs:
   http://www.htmlhelp.com/tools/validator/problems.html#amp

"""

__docformat__ = "restructuredtext"

# Created: Tue Mar 14 18:25:45 PST 2006
# Author: Shannon -jj Behrens, Brandon Golm, Eric Huss
# Email: jjinux@users.sourceforge.net
#
# Copyright (c) Shannon -jj Behrens.  All rights reserved.
www.java2java.com | Contact Us
Copyright 2009 - 12 Demo Source and Support. All rights reserved.
All other trademarks are property of their respective owners.