Skip to content


Subversion checkout URL

You can clone with
Download ZIP


Quotes are not escaped #79

phihag opened this Issue · 4 comments

2 participants


This may be an error in mustache, or a misconception of mine, but why are quotes (in attribute values, but optionally everywhere else too) not escaped?

>>> import pystache
>>> pystache.render(u'<div title="{{title}}">Hover</div>', {'title': u'The "mustache" library'})
u'<div title="The "mustache" library">Hover</div>'

I expected

u'<div title="The &quot;mustache&quot; library">Hover</div>'

which matches the output (sans u, of course) I get from mustache.js.


Thanks for the report. This is a known issue (issue #67) that has been fixed in the development branch. Hopefully we'll be releasing that in the not-too-distant future. In the meantime, if you're using what's in master, I believe things should work as you expect if you install markupsafe (the version in master uses markupsafe's escape if markupsafe is available).

@phihag phihag closed this

Since I modify pystache anyways (to get it running under Python 3), I just patched in the fix:

diff --git a/pystache/ b/pystache/
index 563d830..a5ee092 100644
--- a/pystache/
+++ b/pystache/
@@ -13 +13 @@ except ImportError:
-    escape = lambda x: cgi.escape(unicode(x))
+    escape = lambda x: cgi.escape(unicode(x), quote=True)

With this change, quotes are correctly escaped.




FYI, I'm just about to release a new version of Pystache (v0.5.1, just pushed to master) with official support for Python 3. If you're still using Pystache, I'd love for you to try it out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.