Safely add untrusted strings to HTML/XML markup.
Clone or download
Latest commit 9963f3d Nov 5, 2018
Type Name Latest commit message Commit time
Failed to load latest commit information.
bench add style checks Nov 3, 2018
docs add changelog and license to docs Nov 3, 2018
src/markupsafe release 1.1.0 Nov 5, 2018
tests add style checks Nov 3, 2018
.appveyor.yml use cibuildwheel on appveyor Nov 2, 2018
.editorconfig add style checks Nov 3, 2018
.gitignore update project files May 2, 2018
.pre-commit-config.yaml add style checks Nov 3, 2018
.travis.yml add style checks Nov 3, 2018
CHANGES.rst release 1.1.0 Nov 5, 2018
LICENSE.rst update project files Nov 3, 2018 fix exclude pyc files Nov 5, 2018
README.rst update docs link Nov 5, 2018
setup.cfg add style checks Nov 3, 2018 add style checks Nov 3, 2018
tox.ini add style checks Nov 3, 2018



MarkupSafe implements a text object that escapes characters so it is safe to use in HTML and XML. Characters that have special meanings are replaced so that they display as the actual characters. This mitigates injection attacks, meaning untrusted user input can safely be displayed on a page.


Install and update using pip:

pip install -U MarkupSafe


>>> from markupsafe import Markup, escape
>>> # escape replaces special characters and wraps in Markup
>>> escape('<script>alert(document.cookie);</script>')
>>> # wrap in Markup to mark text "safe" and prevent escaping
>>> Markup('<strong>Hello</strong>')
>>> escape(Markup('<strong>Hello</strong>'))
>>> # Markup is a text subclass (str on Python 3, unicode on Python 2)
>>> # methods and operators escape their arguments
>>> template = Markup("Hello <em>%s</em>")
>>> template % '"World"'
Markup('Hello <em>&#34;World&#34;</em>')


The Pallets organization develops and supports MarkupSafe and other libraries that use it. In order to grow the community of contributors and users, and allow the maintainers to devote more time to the projects, please donate today.