tags:

views:

2006

answers:

2
+6  Q: 

What's the easiest way to escape HTML in Python?

cgi.escape seems like one possible choice. Does it work well? Is there something that is considered better?

+6  A: 

cgi.escape is fine. It escapes:

  • < to &lt;
  • > to &gt;
  • & to &amp;

That is enough for all HTML.

EDIT: If you have non-ascii chars you also want to escape, for inclusion in another encoded document that uses a different encoding, like Craig says, just use:

data.encode('ascii', 'xmlcharrefreplace')

Don't forget to decode data to unicode first, using whatever encoding it was encoded.

However in my experience that kind of encoding is useless if you just work with unicode all the time from start. Just encode at the end to the encoding specified in the document header (utf-8 for maximum compatibility).

Example:

>>> cgi.escape(u'<a>bá</a>').encode('ascii', 'xmlcharrefreplace')
'&lt;a&gt;b&#225;&lt;/a&gt;

Also worth of note (thanks Greg) is the extra quote parameter cgi.escape takes. With it set to True, cgi.escape also escapes double quote chars (") so you can use the resulting value in a XML/HTML attribute.

nosklo  2009-06-30 04:18:11
The additional boolean parameter to cgi.escape should also be considered for escaping quotes when text is used in HTML attribute values.
Greg Hewgill  2009-06-30 04:20:40
Just to be sure: If I run all untrusted data through the `cgi.escape` function, is enough to protect against all (known) XSS attacs?
Tomas Sedovic  2010-02-11 21:41:29
@Tomas Sedovic: Depends on where you'll put the text after running cgi.escape in it. If placed in root HTML context then yes, you're completely safe.
nosklo  2010-02-12 03:00:34
What about input like {{Measures 12 Ω"H x 17 5/8"W x 8 7/8"D. Imported.}}That's not ascii, so encode() will throw an exception at you.
Andrew Kolesnikov  2010-06-22 15:56:33
@Andrew Kolesnikov: Have you tried it? `cgi.escape(yourunicodeobj).encode('ascii', 'xmlcharrefreplace') == '{{Measures 12 Ω"H x 17 5/8"W x 8 7/8"D. Imported.}}'` -- as you can see, the expression returns ascii bytestring, with all non-ascii unicode chars encoded using the xml character reference table.
nosklo  2010-06-23 03:48:53
+2  A: 

cgi.escape should be good to escape HTML in the limited sense of escaping the HTML tags and character entities.

But you might have to also consider encoding issues: If the HTML you want to quote has non-ASCII characters in a particular encoding, then you would also have to take care that you represent those sensibly when quoting. Perhaps you could convert them to entities. Otherwise you should ensure that the correct encoding translations are done between the "source" HTML and the page it's embedded in, to avoid corrupting the non-ASCII characters.

Craig McQueen  2009-06-30 04:35:26

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?