The Python Oracle

What's the easiest way to escape HTML in Python?

Become part of the top 3% of the developers by applying to Toptal https://topt.al/25cXVn

--

Music by Eric Matyas
https://www.soundimage.org
Track title: Riding Sky Waves v001

--

Chapters
00:00 Question
00:22 Accepted answer (Score 197)
01:59 Answer 2 (Score 168)
02:24 Answer 3 (Score 12)
02:59 Answer 4 (Score 9)
03:59 Thank you

--

Full question
https://stackoverflow.com/questions/1061...

Accepted answer links:
[html.escape]: http://docs.python.org/3/library/html.ht...
[cgi.escape]: http://docs.python.org/library/cgi.html#...
[html.escape]: http://docs.python.org/3/library/html.ht...

Answer 2 links:
[html]: https://docs.python.org/3/library/html.h...

Answer 3 links:
[urllib]: http://docs.python.org/2/library/urllib....
[Find docs here]: http://docs.python.org/2/library/urllib....

Answer 4 links:
[markupsafe package]: https://github.com/mitsuhiko/markupsafe

--

Content licensed under CC BY-SA
https://meta.stackexchange.com/help/lice...

--

Tags
#python #html

#avk47


ACCEPTED ANSWER

Score 211


html.escape is the correct answer now, it used to be cgi.escape in python before 3.2. It escapes:

  • < to &lt;
  • > to &gt;
  • & to &amp;

That is enough for all HTML.

EDIT: If you have non-ascii chars you also want to escape, for inclusion in another encoded document that uses a different encoding, like Craig says, just use:

data.encode('ascii', 'xmlcharrefreplace')

Don't forget to decode data to unicode first, using whatever encoding it was encoded.

However in my experience that kind of encoding is useless if you just work with unicode all the time from start. Just encode at the end to the encoding specified in the document header (utf-8 for maximum compatibility).

Example:

>>> cgi.escape(u'<a>bá</a>').encode('ascii', 'xmlcharrefreplace')
'&lt;a&gt;b&#225;&lt;/a&gt;

Also worth of note (thanks Greg) is the extra quote parameter cgi.escape takes. With it set to True, cgi.escape also escapes double quote chars (") so you can use the resulting value in a XML/HTML attribute.

EDIT: Note that cgi.escape has been deprecated in Python 3.2 in favor of html.escape, which does the same except that quote defaults to True.



ANSWER 2

Score 184


In Python 3.2 a new html module was introduced, which is used for escaping reserved characters from HTML markup.

It has one function escape():

import html

print(html.escape('x > 2 && x < 7 single quote: \' double quote: "'))

x &gt; 2 &amp;&amp; x &lt; 7 single quote: &#x27; double quote: &quot;


ANSWER 3

Score 13


If you wish to escape HTML in a URL:

This is probably NOT what the OP wanted (the question doesn't clearly indicate in which context the escaping is meant to be used), but Python's native library urllib has a method to escape HTML entities that need to be included in a URL safely.

The following is an example:

#!/usr/bin/python
from urllib import quote

x = '+<>^&'
print quote(x) # prints '%2B%3C%3E%5E%26'

Find docs here



ANSWER 4

Score 7


cgi.escape should be good to escape HTML in the limited sense of escaping the HTML tags and character entities.

But you might have to also consider encoding issues: if the HTML you want to quote has non-ASCII characters in a particular encoding, then you would also have to take care that you represent those sensibly when quoting. Perhaps you could convert them to entities. Otherwise you should ensure that the correct encoding translations are done between the "source" HTML and the page it's embedded in, to avoid corrupting the non-ASCII characters.