i have a
<img src=__string__> but string might contain ", what should I do to escape it?
__string__ = test".jpg <img src="test".jpg">
If your value being escaped might contain quotes, the best thing is to use the
quoteattr method: http://docs.python.org/library/xml.sax.utils.html#module-xml.sax.saxutils
This is referenced right beneath the docs on the cgi.escape() method.
In Python 3.2 a new
html module was introduced, which is used for escaping reserved characters from HTML markup.
It has one function
If the optional flag quote is true, the characters
(') are also translated.
>>> import html >>> html.escape('x > 2 && x < 7') 'x > 2 && x < 7'
import cgi s = cgi.escape('test".jpg', True)
Note that the
True flag tells it to escape double quotes. If you need to escape single quotes as well (if you're one of those rare individuals who use single quotes to surround html attributes) read the note in that documentation link about xml.sax.saxutils.quoteattr(). The latter does both kinds of quotes, though it is about three times as slow:
>>> timeit.Timer( "escape('asdf\"asef', True)", "from cgi import escape").timeit() 1.2772219181060791 >>> timeit.Timer( "quoteattr('asdf\"asef')", "from xml.sax.saxutils import quoteattr").timeit() 3.9785079956054688
If the URL you're using (as an
img src here) might contain quotes, you should use URL quoting.
For python, use the urllib.quote method before passing the URL string to your template:
img_url = 'test".jpg' __string__ = urllib.quote(img_url)
The best way to escape XML or HTML in python is probably with triple quotes. Note that you can also escape carriage returns.
"""<foo bar="1" baz="2" bat="3"> <ack/> </foo> """