def nl2br(value):
"""nl2br(value : any) -> htmltext
Insert <br /> tags before newline characters.
"""
text = htmlescape(value)
return htmltext(text.s.replace('\n', '<br />\n'))
def nl2br(value):
"""nl2br(value : any) -> htmltext
Insert <br /> tags before newline characters.
"""
text = htmlescape(value)
return htmltext(text.s.replace('\n', '<br />\n'))
def htmltag(tag, xml_end=False, css_class=None, **attrs):
"""Create a HTML tag."""
r = ["<%s" % tag]
if css_class is not None:
attrs['class'] = css_class
for (attr, val) in attrs.items():
if val is ValuelessAttr:
val = attr
if val is not None:
r.append(' %s="%s"' % (attr, stringify(htmlescape(val))))
if xml_end:
r.append(" />")
else:
r.append(">")
return htmltext("".join(r))
def htmltag(tag, xml_end=False, css_class=None, **attrs):
"""Create a HTML tag.
"""
r = ["<%s" % tag]
if css_class is not None:
attrs['class'] = css_class
for (attr, val) in attrs.items():
if val is ValuelessAttr:
val = attr
if val is not None:
r.append(' %s="%s"' % (attr, htmlescape(val)))
if xml_end:
r.append(" />")
else:
r.append(">")
return htmltext("".join(r))
def _q_format(value, conversion=-1, format_spec=None):
# Used by f-strings to format the {..} parts
if conversion == -1 and format_spec is None:
return htmlescape(value) # simple and fast case
if conversion == -1:
fmt = '{%s}'
else:
conversion = chr(conversion)
if conversion == 'r':
fmt = '{%s!r}'
elif conversion == 's':
fmt = '{%s!s}'
elif conversion == 'a':
fmt = '{%s!a}'
else:
assert 0, 'invalid conversion %r' % conversion
arg = _wraparg(value)
if format_spec:
fmt = fmt % (':' + str(format_spec))
else:
fmt = fmt % ''
return htmltext(fmt.format(arg))
def href(url, text, title=None, **attrs):
return (htmltag("a", href=url, title=title, **attrs) + htmlescape(text) +
htmltext("</a>"))
"""Various functions for dealing with HTML.
These functions are fairly simple but it is critical that they be
used correctly. Many security problems are caused by escaping errors
(cross site scripting is one example). The HTML and XML standards on
www.w3c.org and www.xml.com should be studied, especially the sections
on character sets, entities, attribute and values.
htmltext and htmlescape
-----------------------
This type and function are meant to be used with [html] PTL template type.
The htmltext type designates data that does not need to be escaped and the
htmlescape() function calls str() on the argment, escapes the resulting
string and returns a htmltext instance. htmlescape() does nothing to
htmltext instances.
url_quote
---------
Use for quoting data to be included as part of a URL, for example:
input = "foo bar"
...
'<a href="/search?keyword=%s">' % url_quote(input)
Note that URLs are usually used as attribute values and might need to have
HTML special characters escaped. As an example of incorrect usage:
url = 'http://example.com/?a=1©=0' # INCORRECT
def href(url, text, title=None, **attrs):
return (htmltag("a", href=url, title=title, **attrs) +
htmlescape(text) +
htmltext("</a>"))
"""Various functions for dealing with HTML.
These functions are fairly simple but it is critical that they be
used correctly. Many security problems are caused by escaping errors
(cross site scripting is one example). The HTML and XML standards on
www.w3c.org and www.xml.com should be studied, especially the sections
on character sets, entities, attribute and values.
htmltext and htmlescape
-----------------------
This type and function are meant to be used with [html] PTL template type.
The htmltext type designates data that does not need to be escaped and the
htmlescape() function calls str() on the argment, escapes the resulting
string and returns a htmltext instance. htmlescape() does nothing to
htmltext instances.
url_quote
---------
Use for quoting data to be included as part of a URL, for example:
input = "foo bar"
...
'<a href="/search?keyword=%s">' % url_quote(input)
Note that URLs are usually used as attribute values and might need to have
HTML special characters escaped. As an example of incorrect usage:
url = 'http://example.com/?a=1©=0' # INCORRECT
