i have a <img src=__string__> but string might contain ", what should I do to escape it?
Example:
__string__ = test".jpg
<img src="test".jpg">
doesn't work.
views:
127answers:
4
A:
The best way to escape XML or HTML in python is probably with triple quotes. Note that you can also escape carriage returns.
"""<foo bar="1" baz="2" bat="3">
<ack/>
</foo>
"""
eeeeaaii
2010-06-22 20:43:02
I don't think that answers the question. He's wanting to know how to properly escape quotes _inside_ `__string__`, since he's using quotes _around_ `__string__`.
Bryan Oakley
2010-06-22 20:48:50
+2
A:
If the URL you're using (as an img src here) might contain quotes, you should use URL quoting.
For python, use the urllib.quote method before passing the URL string to your template:
img_url = 'test".jpg'
__string__ = urllib.quote(img_url)
tcarobruce
2010-06-22 20:54:03
@Timmy, what do you mean by "it fails for title attribute"? The call to urllib.quote returns "test%22.jpg", which I believe is what you want.
Nikhil Chelliah
2010-06-22 22:05:04
+3
A:
import cgi
s = cgi.escape('test".jpg', True)
http://docs.python.org/library/cgi.html#cgi.escape
Note that the True flag tells it to escape double quotes. If you need to escape single quotes as well (if you're one of those rare individuals who use single quotes to surround html attributes) read the note in that documentation link about xml.sax.saxutils.quoteattr(). The latter does both kinds of quotes, though it is about three times as slow:
>>> timeit.Timer( "escape('asdf\"asef', True)", "from cgi import escape").timeit()
1.2772219181060791
>>> timeit.Timer( "quoteattr('asdf\"asef')", "from xml.sax.saxutils import quoteattr").timeit()
3.9785079956054688
Forest
2010-06-22 21:42:29
cgi.escape does not escape single quotes. For this reason it is dangerous to use it for HTML escaping, because the attribute the variable is being put into may be single quoted. If the attribute is single quoted, a cross-site scripting vulnerability could easily be found.
Craig Younkins
2010-06-24 02:41:17
+3
A:
If your value being escaped might contain quotes, the best thing is to use the quoteattr method: http://docs.python.org/library/xml.sax.utils.html#module-xml.sax.saxutils
This is referenced right beneath the docs on the cgi.escape() method.
gomad
2010-06-22 22:38:56
+1, quoteattr is **exactly** the right function to use for this (and the online Python docs are pretty clear about this, too!).
Alex Martelli
2010-06-23 00:36:07
That's cool. But worth noting if your string contains both single and double quotes, you'll get a URL with `"` in it, which is not likely to resolve to the resource you are targeting.
tcarobruce
2010-06-23 01:00:05