views:

127

answers:

4

i have a <img src=__string__> but string might contain ", what should I do to escape it?

Example:

__string__ = test".jpg
<img src="test".jpg">

doesn't work.

A: 

The best way to escape XML or HTML in python is probably with triple quotes. Note that you can also escape carriage returns.

"""<foo bar="1" baz="2" bat="3">
<ack/>
</foo>
"""
eeeeaaii
I don't think that answers the question. He's wanting to know how to properly escape quotes _inside_ `__string__`, since he's using quotes _around_ `__string__`.
Bryan Oakley
+2  A: 

If the URL you're using (as an img src here) might contain quotes, you should use URL quoting.

For python, use the urllib.quote method before passing the URL string to your template:

img_url = 'test".jpg'
__string__ = urllib.quote(img_url)
tcarobruce
thanks, but if its not url or unicode, it fails for title attribute
Timmy
@Timmy, what do you mean by "it fails for title attribute"? The call to urllib.quote returns "test%22.jpg", which I believe is what you want.
Nikhil Chelliah
it fails for unicode
Timmy
+3  A: 
import cgi
s = cgi.escape('test".jpg', True)

http://docs.python.org/library/cgi.html#cgi.escape

Note that the True flag tells it to escape double quotes. If you need to escape single quotes as well (if you're one of those rare individuals who use single quotes to surround html attributes) read the note in that documentation link about xml.sax.saxutils.quoteattr(). The latter does both kinds of quotes, though it is about three times as slow:

>>> timeit.Timer( "escape('asdf\"asef', True)", "from cgi import escape").timeit()
1.2772219181060791
>>> timeit.Timer( "quoteattr('asdf\"asef')", "from xml.sax.saxutils import quoteattr").timeit()
3.9785079956054688
Forest
cgi.escape does not escape single quotes. For this reason it is dangerous to use it for HTML escaping, because the attribute the variable is being put into may be single quoted. If the attribute is single quoted, a cross-site scripting vulnerability could easily be found.
Craig Younkins
I explicitly mentioned the single quote issue in my answer.
Forest
+3  A: 

If your value being escaped might contain quotes, the best thing is to use the quoteattr method: http://docs.python.org/library/xml.sax.utils.html#module-xml.sax.saxutils

This is referenced right beneath the docs on the cgi.escape() method.

gomad
+1, quoteattr is **exactly** the right function to use for this (and the online Python docs are pretty clear about this, too!).
Alex Martelli
That's cool. But worth noting if your string contains both single and double quotes, you'll get a URL with `"` in it, which is not likely to resolve to the resource you are targeting.
tcarobruce