def compute_next_context(self, prior, match):
content_kind = html.attr_type(match.group(1))
attr = attr_type_of(prior)
if content_kind == content.CONTENT_KIND_JS:
attr = ATTR_SCRIPT
elif content_kind == content.CONTENT_KIND_CSS:
attr = ATTR_STYLE
elif content_kind == content.CONTENT_KIND_URL:
attr = ATTR_URL
return STATE_ATTR_NAME | element_type_of(prior) | attr
def compute_next_context(self, prior, match):
content_kind = html.attr_type(match.group(1))
attr = attr_type_of(prior)
if content_kind == content.CONTENT_KIND_JS:
attr = ATTR_SCRIPT
elif content_kind == content.CONTENT_KIND_CSS:
attr = ATTR_STYLE
elif content_kind == content.CONTENT_KIND_URL:
attr = ATTR_URL
return STATE_ATTR_NAME | element_type_of(prior) | attr
def filter_html_attribute(value):
"""
Filters out strings that cannot be a substring of a valid HTML attribute.
value - The value to escape. May not be a string, but the value
will be coerced to a string.
Returns a valid HTML attribute name part or name/value pair.
\"zSafehtmlz\" if the input is invalid.
"""
if (isinstance(value, content.TypedContent)
and value.kind == content.CONTENT_KIND_HTML_ATTR):
value = value.content
elif value is None:
return ''
else:
if type(value) not in (str, unicode):
value = str(value)
value = _filter_html_attribute_helper(value)
if content.CONTENT_KIND_PLAIN != html.attr_type(value):
return 'zSafehtmlz'
if value.find('=') < 0:
return value
# Quote any attribute values so that a contextually autoescaped
# whole attribute does not end up having a following value
# associated with it.
# The contextual autoescaper, since it propagates context left to
# right, is unable to distinguish
# <div {$x}>
# from
# <div {$x}={$y}>.
# If {$x} is "dir=ltr", and y is "foo" make sure the parser does not
# see the attribute "dir=ltr=foo".
match = _ATTR_NAME_VALUE_PAIR.search(value)
if not match:
return 'zSafehtmlz'
return ' %s="%s"' % (match.group(1), _normalize_html_helper(
match.group(2)))
def filter_html_attribute(value):
"""
Filters out strings that cannot be a substring of a valid HTML attribute.
value - The value to escape. May not be a string, but the value
will be coerced to a string.
Returns a valid HTML attribute name part or name/value pair.
\"zSafehtmlz\" if the input is invalid.
"""
if (isinstance(value, content.TypedContent)
and value.kind == content.CONTENT_KIND_HTML_ATTR):
value = value.content
elif value is None:
return ''
else:
if type(value) not in (str, unicode):
value = str(value)
value = _filter_html_attribute_helper(value)
if content.CONTENT_KIND_PLAIN != html.attr_type(value):
return 'zSafehtmlz'
if value.find('=') < 0:
return value
# Quote any attribute values so that a contextually autoescaped
# whole attribute does not end up having a following value
# associated with it.
# The contextual autoescaper, since it propagates context left to
# right, is unable to distinguish
# <div {$x}>
# from
# <div {$x}={$y}>.
# If {$x} is "dir=ltr", and y is "foo" make sure the parser does not
# see the attribute "dir=ltr=foo".
match = _ATTR_NAME_VALUE_PAIR.search(value)
if not match:
return 'zSafehtmlz'
return ' %s="%s"' % (match.group(1), _normalize_html_helper(match.group(2)))
