Having said that, I should add that some examples in this book do not escape & URL
separators embedded within HTML simply because their URL parameter names are
known not to conflict with HTML escapes. In fact, this concern is likely to be rare in
practice, since your program usually controls the set of parameter names it expects.
This is not, however, the most general solution, especially if parameter names may be
driven by a dynamic database; when in doubt, escape much and often.
“How I Learned to Stop Worrying and Love the Web”
Lest the HTML and URL formatting rules sound too clumsy (and send you screaming
into the night!), note that the HTML and URL escaping conventions are imposed by
the Internet itself, not by Python. (As you’ve learned by now, Python has a different
mechanism for escaping special characters in string constants with backslashes.) These
rules stem from the fact that the Web is based on the notion of shipping formatted text
strings around the planet, and are almost surely influenced by the tendency of different
interest groups to develop very different notations.
You can take heart, though, in the fact that you often don’t need to think in such cryptic
terms; when you do, Python automates the translation process with library tools. Just
keep in mind that any script that generates HTML or URLs dynamically probably needs
to call Python’s escaping tools to be robust. We’ll see both the HTML and the URL
escape tool sets employed frequently in later examples in this chapter and the next.
Moreover, web development frameworks and tools such as Zope and others aim to get
rid of some of the low-level complexities that CGI scripters face. And as usual in pro-
gramming, there is no substitute for brains; amazing technologies like the Internet come
at an inevitable cost in complexity.Transferring Files to Clients and Servers
It’s time to explain a bit of HTML code that’s been lurking in the shadows. Did you
notice those hyperlinks on the language selector examples’ main pages for showing the
CGI script’s source code (the links I told you to ignore)? Normally, we can’t see such
script source code, because accessing a CGI script makes it execute—we can see only
its HTML output, generated to make the new page. The script in Example 15-26, ref-
erenced by a hyperlink in the main language.html page, works around that by opening
the source file and sending its text as part of the HTML response. The text is marked
with
as preformatted text and is escaped for transmission inside HTML with
cgi.escape.
Example 15-26. PP4E\Internet\Web\cgi-bin\languages-src.py
#!/usr/bin/python
"Display languages.py script code without running it."
import cgi
filename = 'cgi-bin/languages.py'
Transferring Files to Clients and Servers | 1209