Adding attr_escape to deal with quotes when embedding values in HTML …

…attributes safely.
jehiah · Apr 7, 2010 · 70347b6 · 70347b6
1 parent 002ba2c
commit 70347b6
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/tornado/escape.py b/tornado/escape.py
@@ -46,11 +46,13 @@ def xhtml_escape(value):
     """Escapes a string so it is valid within XML or XHTML."""
     return utf8(xml.sax.saxutils.escape(value, {'"': "&quot;"}))
 
-
 def xhtml_unescape(value):
     """Un-escapes an XML-escaped string."""
     return re.sub(r"&(#?)(\w+?);", _convert_entity, _unicode(value))
 
+def attr_escape(data):
+    """Similar to xhtml_escape(), but also prepares data to be used as an attribute value."""
+    return utf8(xml.sax.saxutils.quoteattr(data))
 
 def json_encode(value):
     """JSON-encodes the given Python object."""

diff --git a/tornado/template.py b/tornado/template.py
@@ -116,6 +116,7 @@ def generate(self, **kwargs):
         """Generate this template with the given arguments."""
         namespace = {
             "escape": escape.xhtml_escape,
+            "attr_escape": escape.attr_escape,
             "url_escape": escape.url_escape,
             "json_encode": escape.json_encode,
             "squeeze": escape.squeeze,