def compute_next_context(self, prior, match): content_kind = html.attr_type(match.group(1)) attr = attr_type_of(prior) if content_kind == content.CONTENT_KIND_JS: attr = ATTR_SCRIPT elif content_kind == content.CONTENT_KIND_CSS: attr = ATTR_STYLE elif content_kind == content.CONTENT_KIND_URL: attr = ATTR_URL return STATE_ATTR_NAME | element_type_of(prior) | attr
def filter_html_attribute(value): """ Filters out strings that cannot be a substring of a valid HTML attribute. value - The value to escape. May not be a string, but the value will be coerced to a string. Returns a valid HTML attribute name part or name/value pair. \"zSafehtmlz\" if the input is invalid. """ if (isinstance(value, content.TypedContent) and value.kind == content.CONTENT_KIND_HTML_ATTR): value = value.content elif value is None: return '' else: if type(value) not in (str, unicode): value = str(value) value = _filter_html_attribute_helper(value) if content.CONTENT_KIND_PLAIN != html.attr_type(value): return 'zSafehtmlz' if value.find('=') < 0: return value # Quote any attribute values so that a contextually autoescaped # whole attribute does not end up having a following value # associated with it. # The contextual autoescaper, since it propagates context left to # right, is unable to distinguish # <div {$x}> # from # <div {$x}={$y}>. # If {$x} is "dir=ltr", and y is "foo" make sure the parser does not # see the attribute "dir=ltr=foo". match = _ATTR_NAME_VALUE_PAIR.search(value) if not match: return 'zSafehtmlz' return ' %s="%s"' % (match.group(1), _normalize_html_helper( match.group(2)))
def filter_html_attribute(value): """ Filters out strings that cannot be a substring of a valid HTML attribute. value - The value to escape. May not be a string, but the value will be coerced to a string. Returns a valid HTML attribute name part or name/value pair. \"zSafehtmlz\" if the input is invalid. """ if (isinstance(value, content.TypedContent) and value.kind == content.CONTENT_KIND_HTML_ATTR): value = value.content elif value is None: return '' else: if type(value) not in (str, unicode): value = str(value) value = _filter_html_attribute_helper(value) if content.CONTENT_KIND_PLAIN != html.attr_type(value): return 'zSafehtmlz' if value.find('=') < 0: return value # Quote any attribute values so that a contextually autoescaped # whole attribute does not end up having a following value # associated with it. # The contextual autoescaper, since it propagates context left to # right, is unable to distinguish # <div {$x}> # from # <div {$x}={$y}>. # If {$x} is "dir=ltr", and y is "foo" make sure the parser does not # see the attribute "dir=ltr=foo". match = _ATTR_NAME_VALUE_PAIR.search(value) if not match: return 'zSafehtmlz' return ' %s="%s"' % (match.group(1), _normalize_html_helper(match.group(2)))