durusmail: quixote-users: ANN: Quixote 0.6beta1 released
ANN: Quixote 0.6beta1 released
2003-01-09
2003-01-09
2003-01-09
2003-01-09
2003-01-09
2003-01-10
2003-01-13
2003-01-13
2003-01-13
2003-01-13
ANN: Quixote 0.6beta1 released
Andrew Kuchling
2003-01-09
We've just issued a beta 1 release of Quixote 0.6.

  http://www.mems-exchange.org/software/files/quixote/Quixote-0.6b1.tar.gz

A full list of changes is below.  Particularly notable changes are:

    * A change to PTL declaration syntax, from:

template func ():
    ...

to:

def func [plain] ():    or      def func [html] ():
    ...                             ...

(The 'template' keyword is still supported.)  If you use [plain] in
the definition, templates behave exactly as they do in 0.5.1.
If you use [html], you enable the next feature...

    * ... automatic HTML escaping.  <, >, and & in string literals
inside an HTML template are left alone, but strings coming from
variables or expressions will automatically have such characters
escaped.  Result: you don't have to remember to use
html_quote(), and security holes that expose you to cross-site
scripting attacks should be much rarer.  See doc/PTL.txt for more
details about how this works.

    * The form framework now uses automatic HTML escaping.  This is
probably the largest backward incompatibility in 0.6; users of the
form framework will have to modify their code.

Please send questions, comments and bug reports to the quixote-users
list.

--amk                                                    (www.amk.ca)
I can stand an operation on its head quicker than anyone.
      -- The Doctor, in "The Macra Terror"


Full change list for 0.6b1 (9 Jan 2003):

  * Merged form/form.py and form/form_templates.ptl into
    form/form.ptl. (This means that you should completely remove (or
    rename) your old Quixote installation directory *before* installing
    0.6, or the old form/form.py will shadow the new form.ptl.)

  * A new and preferred syntax for declaring PTL templates has been added.
    Instead of 'template func(): ...', the new form is 'def func [plain] ()'.

    This uses a notation that's been suggested for adding type
    information to Python functions.  The Emacs Python mode already handles
    this properly, and it may be more compatible with future versions of
    Python.

    The 'template' keyword is still supported, but we encourage you
    to switch to the new syntax when you get a chance.

  * Quixote now supports a new kind of template that automatically performs
    HTML escaping.  Here's an example.  (Notice that the '[plain]'
    annotation is changed to '[html]' to enable this feature.)

        def header [html] (title):
            "%s" % title

    If the 'title' argument is something like "R&D", it will
    automatically be converted to "R&D" following the rules
    for escaping HTML special characters.  The aim is to avoid cross-site
    scripting attacks by automatically

    See doc/PTL.txt for more information about how this works.

    This escaping is implemented using a 'htmltext' class implemented in
    Python, and is currently in production use on our web site.

  * An experimental C implementation of the 'htmltext' type is also
    included; it hasn't been put into production use yet.  Edit
    setup.py and uncomment the appropriate line if you want to try the
    C implementation.

  * The form framework now uses automatic HTML escaping.  This
    means that applications using the form framework will have
    to either be changed to use automatic HTML escaping themselves,
    or to use str() to convert 'htmltext' instances back to Python
    strings.

    See doc/upgrading.txt for more information.

  * Make Quixote a bit more friendly to multi-threaded applications
    by allowing multiple simultaneous publishers, each handling one
    request (patch by Titus Brown).

  * Make util.xmlrpc() return an HTTP 405 Method Not Allowed error
    if the method isn't a POST.

  * Added demo/run_cgi.py, a script that makes it easy to write one
    file CGI applications that use Quixote.  See the comments at the
    top of the demo/run_cgi.py file for instructions.

reply