Escaping Mail Text and Passwords in HTML
Notice that everything you see on the message view page’s HTML in Figure 16-14 is
escaped with cgi.escape. Header fields and the text of the mail itself might contain
characters that are special to HTML and must be translated as usual. For instance,
because some mailers allow you to send messages in HTML format, it’s possible that
an email’s text could contain a tag, which might throw the reply page
hopelessly out of sync if not escaped.
One subtlety here: HTML escapes are important only when text is sent to the browser
initially by the CGI script. If that text is later sent out again to another script (e.g., by
sending a reply mail), the text will be back in its original, nonescaped format when
received again on the server. The browser parses out escape codes and does not put
them back again when uploading form data, so we don’t need to undo escapes later.
For example, here is part of the escaped text area sent to a browser during a Reply
transaction (use your browser’s View Source option to see this live):
<tr><th align=right>Text:
<td><textarea name=text cols=80 rows=10 readonly>
more stuff--Mark Lutz (http://rmi.net/~lutz) [PyMailCgi 2.0]> -----Original Message-----
> From: [email protected]
> To: [email protected]
> Date: Tue May 2 18:28:41 2000
>
> <table><textarea>
> </textarea></table>
> --Mark Lutz (http://rmi.net/~lutz) [PyMailCgi 2.0]
>
>
> > -----Original Message-----After this reply is delivered, its text looks as it did before escapes (and exactly as it
appeared to the user in the message edit web page):
more stuff--Mark Lutz (http://rmi.net/~lutz) [PyMailCgi 2.0]> -----Original Message-----
> From: [email protected]
> To: [email protected]
> Date: Tue May 2 18:28:41 2000
>
> <table><textarea>
> </textarea></table>
> --Mark Lutz (http://rmi.net/~lutz) [PyMailCgi 2.0]
>1264 | Chapter 16: The PyMailCGI Server