summaryrefslogtreecommitdiffstats
path: root/Doc/library
diff options
context:
space:
mode:
authorGeorg Brandl <georg@python.org>2010-10-15 15:57:45 (GMT)
committerGeorg Brandl <georg@python.org>2010-10-15 15:57:45 (GMT)
commit1f7fffb308390d10a2c6a4ec624f18cfeef97aeb (patch)
tree65e2437904ba089004c69c77b49e5059623b83fb /Doc/library
parent70543acfa1bce2e5f448d8d0085df595bfa9a2f9 (diff)
downloadcpython-1f7fffb308390d10a2c6a4ec624f18cfeef97aeb.zip
cpython-1f7fffb308390d10a2c6a4ec624f18cfeef97aeb.tar.gz
cpython-1f7fffb308390d10a2c6a4ec624f18cfeef97aeb.tar.bz2
#2830: add html.escape() helper and move cgi.escape() uses in the standard library to it. It defaults to quote=True and also escapes single quotes, which makes casual use safer. The cgi.escape() interface is not touched, but emits a (silent) PendingDeprecationWarning.
Diffstat (limited to 'Doc/library')
-rw-r--r--Doc/library/cgi.rst14
-rw-r--r--Doc/library/html.rst18
-rw-r--r--Doc/library/markup.rst1
3 files changed, 26 insertions, 7 deletions
diff --git a/Doc/library/cgi.rst b/Doc/library/cgi.rst
index 49d1488..8c75517 100644
--- a/Doc/library/cgi.rst
+++ b/Doc/library/cgi.rst
@@ -328,9 +328,9 @@ algorithms implemented in this module in other circumstances.
attribute value delimited by double quotes, as in ``<a href="...">``. Note
that single quotes are never translated.
- If the value to be quoted might include single- or double-quote characters,
- or both, consider using the :func:`~xml.sax.saxutils.quoteattr` function in the
- :mod:`xml.sax.saxutils` module instead.
+ .. deprecated:: 3.2
+ This function is unsafe because *quote* is false by default, and therefore
+ deprecated. Use :func:`html.escape` instead.
.. _cgi-security:
@@ -508,8 +508,8 @@ Common problems and solutions
.. rubric:: Footnotes
-.. [#] Note that some recent versions of the HTML specification do state what order the
- field values should be supplied in, but knowing whether a request was
- received from a conforming browser, or even from a browser at all, is tedious
- and error-prone.
+.. [#] Note that some recent versions of the HTML specification do state what
+ order the field values should be supplied in, but knowing whether a request
+ was received from a conforming browser, or even from a browser at all, is
+ tedious and error-prone.
diff --git a/Doc/library/html.rst b/Doc/library/html.rst
new file mode 100644
index 0000000..2c42cf8
--- /dev/null
+++ b/Doc/library/html.rst
@@ -0,0 +1,18 @@
+:mod:`html` --- HyperText Markup Language support
+=================================================
+
+.. module:: html
+ :synopsis: Helpers for manipulating HTML.
+
+.. versionadded:: 3.2
+
+
+This module defines utilities to manipulate HTML.
+
+.. function:: escape(s, quote=True)
+
+ Convert the characters ``&``, ``<`` and ``>`` in string *s* to HTML-safe
+ sequences. Use this if you need to display text that might contain such
+ characters in HTML. If the optional flag *quote* is true, the characters
+ (``"``) and (``'``) are also translated; this helps for inclusion in an HTML
+ attribute value delimited by quotes, as in ``<a href="...">``.
diff --git a/Doc/library/markup.rst b/Doc/library/markup.rst
index ae97b69..49794ef 100644
--- a/Doc/library/markup.rst
+++ b/Doc/library/markup.rst
@@ -20,6 +20,7 @@ definition of the Python bindings for the DOM and SAX interfaces.
.. toctree::
+ html.rst
html.parser.rst
html.entities.rst
pyexpat.rst