| |||||||||||||
|
| |||||||||||||
[Quixote-users] ANN: Quixote 0.6beta1 released
We've just issued a beta 1 release of Quixote 0.6. http://www.mems-exchange.org/software/files/quixote/Quixote-0.6b1.tar.gz A full list of changes is below. Particularly notable changes are: * A change to PTL declaration syntax, from: template func (): ... to: def func [plain] (): or def func [html] (): ... ... (The 'template' keyword is still supported.) If you use [plain] in the definition, templates behave exactly as they do in 0.5.1. If you use [html], you enable the next feature... * ... automatic HTML escaping. <, >, and & in string literals inside an HTML template are left alone, but strings coming from variables or expressions will automatically have such characters escaped. Result: you don't have to remember to use html_quote(), and security holes that expose you to cross-site scripting attacks should be much rarer. See doc/PTL.txt for more details about how this works. * The form framework now uses automatic HTML escaping. This is probably the largest backward incompatibility in 0.6; users of the form framework will have to modify their code. Please send questions, comments and bug reports to the quixote-users list. --amk (www.amk.ca) I can stand an operation on its head quicker than anyone. -- The Doctor, in "The Macra Terror" Full change list for 0.6b1 (9 Jan 2003): * Merged form/form.py and form/form_templates.ptl into form/form.ptl. (This means that you should completely remove (or rename) your old Quixote installation directory *before* installing 0.6, or the old form/form.py will shadow the new form.ptl.) * A new and preferred syntax for declaring PTL templates has been added. Instead of 'template func(): ...', the new form is 'def func [plain] ()'. This uses a notation that's been suggested for adding type information to Python functions. The Emacs Python mode already handles this properly, and it may be more compatible with future versions of Python. The 'template' keyword is still supported, but we encourage you to switch to the new syntax when you get a chance. * Quixote now supports a new kind of template that automatically performs HTML escaping. Here's an example. (Notice that the '[plain]' annotation is changed to '[html]' to enable this feature.) def header [html] (title): "<title>%s</title>" % title If the 'title' argument is something like "R&D", it will automatically be converted to "R&D" following the rules for escaping HTML special characters. The aim is to avoid cross-site scripting attacks by automatically See doc/PTL.txt for more information about how this works. This escaping is implemented using a 'htmltext' class implemented in Python, and is currently in production use on our web site. * An experimental C implementation of the 'htmltext' type is also included; it hasn't been put into production use yet. Edit setup.py and uncomment the appropriate line if you want to try the C implementation. * The form framework now uses automatic HTML escaping. This means that applications using the form framework will have to either be changed to use automatic HTML escaping themselves, or to use str() to convert 'htmltext' instances back to Python strings. See doc/upgrading.txt for more information. * Make Quixote a bit more friendly to multi-threaded applications by allowing multiple simultaneous publishers, each handling one request (patch by Titus Brown). * Make util.xmlrpc() return an HTTP 405 Method Not Allowed error if the method isn't a POST. * Added demo/run_cgi.py, a script that makes it easy to write one file CGI applications that use Quixote. See the comments at the top of the demo/run_cgi.py file for instructions. _______________________________________________ Quixote-users mailing list Quixote-users@mems-exchange.org http://mail.mems-exchange.org/mailman/listinfo/quixote-users (Log in to post comments)
|
|
||||||||||||