>
> > -----Original Message-----Beyond the normal text, the password gets special HTML escapes treatment as well.
Though not shown in our examples, the hidden password field of the generated HTML
screenshot (Figure 16-14) can look downright bizarre when encryption is applied. It
turns out that the POP password is still encrypted when placed in hidden fields of the
HTML. For security, they have to be. Values of a page’s hidden fields can be seen with
a browser’s View Source option, and it’s not impossible that the text of this page could
be saved to a file or intercepted off the Net.
The password is no longer URL encoded when put in the hidden field, however, even
though it was when it appeared as a query parameter at the end of a stateful URL in
the mail list page. Depending on your encryption module, the password might now
contain nonprintable characters when generated as a hidden field value here; the
browser doesn’t care, as long as the field is run through cgi.escape like everything else
added to the HTML reply stream. The commonhtml module is careful to route all text
and headers through cgi.escape as the view page is constructed.
As a comparison, Figure 16-15 shows what the mail message captured in Fig-
ure 16-12 looks like when viewed in PyMailGUI, the client-side “desktop” tkinter-based
email tool from Chapter 14. In that program, message parts are listed with the Parts
button and are extracted, saved, and opened with the Split button; we also get quick-
access buttons to parts and attachments just below the message headers. The net effect
is similar from an end user’s perspective.
Figure 16-15. PyMailGUI viewer, same message as Figure 16-12
Reading POP Email| 1265