What s the easiest way to escape HTML in Python

Question

cgi escape seems like one possible choice   Does it work well   Is there something that is considered better

User · Answer

There is also the excellent markupsafe package.

>>> from markupsafe import Markup, escape
>>> escape("<script>alert(document.cookie);</script>")
Markup(u'&lt;script&gt;alert(document.cookie);&lt;/script&gt;')

The markupsafe package is well engineered, and probably the most versatile and Pythonic way to go about escaping, IMHO, because:

the return (Markup) is a class derived from unicode (i.e. isinstance(escape('str'), unicode) == True
it properly handles unicode input
it works in Python (2.6, 2.7, 3.3, and pypy)
it respects custom methods of objects (i.e. objects with a __html__ property) and template overloads (__html_format__).

User · Answer

cgi escape should be good to escape HTML in the limited sense of escaping the HTML tags and character entities   But you might have to also consider encoding issues  if the HTML you want to quote has non-ASCII characters in a particular encoding  then you would also have to take care that you represent those sensibly when quoting  Perhaps you could convert them to entities  Otherwise you should ensure that the correct encoding translations are done between the  source  HTML and the page it s embedded in  to avoid corrupting the non-ASCII characters

User · Answer

cgi escape is fine  It escapes     lt  to  amp lt   gt  to  amp gt   amp  to  amp amp    That is enough for all HTML   EDIT  If you have non-ascii chars you also want to escape  for inclusion in another encoded document that uses a different encoding  like Craig says  just use   data encode  ascii    xmlcharrefreplace     Don t forget to decode data to unicode first  using whatever encoding it was encoded   However in my experience that kind of encoding is useless if you just work with unicode all the time from start  Just encode at the end to the encoding specified in the document header  utf-8 for maximum compatibility    Example    gt  gt  gt  cgi escape u  lt a gt b   lt  a gt    encode  ascii    xmlcharrefreplace     amp lt a amp gt b amp  225  amp lt  a amp gt    Also worth of note  thanks Greg  is the extra quote parameter cgi escape takes  With it set to True  cgi escape also escapes double quote chars     so you can use the resulting value in a XML HTML attribute   EDIT  Note that cgi escape has been deprecated in Python 3 2 in favor of html escape  which does the same except that quote defaults to True

User · Answer

Not the easiest way  but still straightforward  The main difference from cgi escape module - it still will work properly if you already have  amp amp  in your text  As you see from comments to it   cgi escape version  def escape s  quote None          Replace special characters   amp      lt   and   gt   to HTML-safe sequences      If the optional flag quote is true  the quotation mark character     is also translated         s   s replace   amp      amp amp      Must be done first      s   s replace   lt      amp lt        s   s replace   gt      amp gt        if quote          s   s replace        amp quot        return s   regex version  QUOTE PATTERN   r      amp  lt  gt         amp lt gt quot  39       def escape word               Replaces special characters  lt  gt  amp    to HTML-safe sequences       With attention to already escaped characters              replace with               lt      amp gt              gt      amp lt              amp      amp amp                   amp quot      should be escaped in attributes                amp  39       should be escaped in attributes           quote pattern   re compile QUOTE PATTERN      return re sub quote pattern  lambda x  replace with x group 0    word

User · Answer

If you wish to escape HTML in a URL   This is probably NOT what the OP wanted  the question doesn t clearly indicate in which context the escaping is meant to be used   but Python s native library urllib has a method to escape HTML entities that need to be included in a URL safely   The following is an example      usr bin python from urllib import quote  x      lt  gt   amp   print quote x    prints   2B 3C 3E 5E 26    Find docs here

User · Answer

No libraries  pure python  safely escapes text into html text  text replace   amp      amp amp    replace   gt      amp gt    replace   lt      amp lt             replace        amp  39    replace   quot     amp  34    encode  ascii    xmlcharrefreplace

User · Answer

For legacy code in Python 2 7  can do it via BeautifulSoup4    gt  gt  gt  bs4 dammit import EntitySubstitution  gt  gt  gt  esub   EntitySubstitution    gt  gt  gt  esub substitute html  r amp d    r amp amp d

User · Answer

cgi escape extended  This version improves cgi escape   It also preserves whitespace and newlines   Returns a unicode string   def escape html text          escape strings for display in HTML        return cgi escape text  quote True               replace u  n   u  lt br   gt                 replace u  t   u  amp emsp                 replace u      u   amp nbsp      for example   gt  gt  gt  escape html   lt foo gt  nfoo t bar    u  amp lt foo amp gt  lt br   gt foo amp emsp  amp quot bar amp quot

User · Answer

In Python 3 2 a new html module was introduced  which is used for escaping reserved characters from HTML markup   It has one function escape      gt  gt  gt  import html  gt  gt  gt  html escape  x  gt  2  amp  amp  x  lt  7 single quote     double quote       x  amp gt  2  amp amp  amp amp  x  amp lt  7 single quote   amp  x27  double quote   amp quot

[python] What's the easiest way to escape HTML in Python?

Examples related to python

Examples related to html