Web.py

Note: `0.40` is the last release which supports Python 2. Future releases will
drop support for Python 2.

Broken backward compatibilities:

- `web.utils.utf8` and `web.utf8` (it's an alias of `web.utils.utf8`) were
removed. Please replace them by `web.safestr` instead.
- `db.select()` doesn't support specifying offset in `limit` like this:
`db.select(..., limit="2, 10", ...)` (equals to raw SQL statement
`SELECT ... LIMIT 2, 10`). Please replace them by moving the offset to
`offset` keyword like this: `db.select(..., offset=2, limit=10)`.

* Fixed a security issue with the form module (tx Orange Tsai)
* Fixed a security issue with the db module (tx Adrián Brav and Orange Tsai)

* Fixed failing tests in test/session.py when postgres is not installed. (tx Michael Diamond)
* Fixed an error with Python 2.3 (tx Michael Diamond)
* web.database now accepts a URL, $DATABASE_URL (fixes 171) (tx Aaron Swartz, we miss you)
* support port use 'port' as keyword for postgres database with used eith pgdb (tx Sandesh Singh)
* Fixes to FirebirdDB database (tx Ben Hanna)
* Added a gaerun method to start application for google app engine (tx Matt Habel)
* Better error message from `db.multiple_insert` when not all rows have the same keys (tx Ben Hoyt)
* Allow custom messages for most errors (tx Shaun Sharples)
* IPv6 support (tx Matthew of Boswell and zamabe)
* Fixed sending email using Amazon SES (tx asldevi)
* Fixed handling of long numbers in sqlify. closes 213. (tx cjrolo)
* Escape HTML characters when emitting API docs. (tx Jeff Zellman)
* Fixed an inconsistency in form.Dropdown when numbers are used for args and value. (tx Noprianto)
* Fixed a potential remote execution risk in `reparam` (tx Adrián Brav)
* The where clause in db queries can be a dict now
* Added `first` method to iterbetter
* Fix to unexpected session when used with MySQL (tx suhashpatil)
* Change dburl2dict to use urlparse and to support the simple case of just a database name. (tx Jeff Zellman)
* Support '204 No Content' status code (tx Matteo Landi)
* Support `451 Unavailable For Legal Reasons` status code(tx Yannik Robin Kettenbach)
* Updates to documentation (tx goodrone, asldevi)

* Fixed datestr issue on Windows -- 155
* Fixed Python 2.4 compatibility issues (tx fredludlow)
* Fixed error in utils.safewrite (tx shuge) -- 95
* Allow use of web.data() with app.request() -- 105
* Fixed an issue with session initializaton (tx beardedprojamz) -- 109
* Allow custom message on 400 Bad Request (tx patryk) -- 121
* Made djangoerror work on GAE. -- 80
* Handle malformatted data in the urls. -- 117
* Made it easier to stop the dev server -- 100, 122
* Added support for customizing cookie_path in session (tx larsga) -- 89
* Added exception for "415 Unsupported Media" (tx JirkaChadima) -- 145
* Added GroupedDropdown to support `<optgroup>` tag (tx jzellman) -- 152
* Fixed failure in embedded interpreter - 87
* Optimized web.cookies (tx benhoyt) - 148

* Upgraded to CherryPy WSGIServer 3.2.0. -- 66
* Various Jython compatibility fixes (tx Ben Noordhuis)
* allow strips to accept lists -- 69
* Improvements to setcookie (tx lovelylain) -- 65
* Added __contains__ method to Session. (tx lovelylain) 65
* Added secure option to session. -- 38
* Fixed db.delete error with `using` clause (tx berndtj) -- 28
* Fixed the case of no where-clauses in db.where
* Fixed threadlocal error in python2.3 -- 77
* Fixed TemplateResult inconsistent behavior -- 78
* Fixed query execution issues with MSSQL -- 71

* Better ThreaedDict implementation using threadlocal (tx Ben Hoyt)
* Make Form a new-style class -- 53
* Optimized SQLQuery.join and generation of multiple_insert query -- 58
* New: support for Amazon's Simple Email Service
* Added httponly keyword to setcookie (tx Justin Davis)
* Added httponly only option to sessions and enabled it by default (tx Justin Davis)
* made htmlquote and htmlunquote work with unicode
* Added doseq support for web.url
* New flag web.config.debug_sql to control printing of db queries (tx Nimrod S. Kerrett)
* Fixed inserting default values into MySQL -- 49
* Fixed rendering of Dropdown with multiple values (tx krowbar) -- 43
* Fixed multiple set-cookie header issue with session -- 45
* Fixed error in safeunicode when used with appengine datastore objects
* Fixed unicode error in generating debugerror -- 26
* Fixed GAE compilation issue -- 24
* Fixed unicode encoding issue in templates -- 17
* Fixed a bug in form.RadioButton when called with tuple options (tx fhsm) -- 13
* Fixed error in creating PostgresDB with pgdb driver (tx cninucci) -- 23
* Support auto conversion of timestamp/date datatypes in sqlite to datetime.data objects -- 22
* Fixed escaping issue on GAE -- 10
* fixed form.validates for checkbox (tx Justin Davis).
* fixed duplicate content-type in web.sendmail -- 20
* Fix: create session dirs if required (tx Martin Marcher)
* Fixed safestr to make use of encoding argument (tx s7v7nislands)
* Don't allow /static/../foo urls in dev webserver (tx Arnar Lundesgaard)
* Disabled debug mode in flup server (tx irrelative) -- 35
* And a lot of unicode fixes