HTML/XHTML tag builder
HTML Builder provides:
HTMLobject that creates (X)HTML tags in a Pythonic way.
literalclass used to mark strings containing intentional HTML markup.
- a smart
literal is a subclass of
unicode, so it works with all string methods
and expressions. The only thing special about it is the
which returns the string itself. The
escape() function follows a simple
protocol: if the object has an
.__html__ method, it calls that rather than
.__str__ to get the HTML representation. Third-party libraries that do not
want to import
literal (and this create a dependency on WebHelpers) can put
.__html__ method in their own classes returning the desired HTML
WebHelpers 1.2 uses MarkupSafe, a package which provides an enhanced
implementation of this protocol. Mako and Pylons have also switched to
MarkupSafe. Its advantages are a C speedup for escaping,
escaping single-quotes for security, and adding new methods to
literal. literal is now a subclass of
markupsafe.escape_silent. (The latter does not exist yet in
MarkupSafe 0.9.3, but WebHelpers itself converts None to “” in the meantime).
Single-quote escaping affects HTML attributes that are written like this: alt=’Some text.’ rather than the normal alt=”Some text.” If the text is a replaceable parameter whose value contains a single quote, the browser would think the value ends earlier than it does, thus enabling a potential cross-site scripting (XSS) attack. WebHelpers 1.0 and earlier escaped double quotes but not single quotes. MarkupSafe escapes both double and single quotes, preventing this sort of attack.
MarkupSafe has some slight differences which should not cause compatibility
issues but may in the following edge cases. (A) The
force argument to
escape() is gone. We doubt it was ever used. (B) The default encoding of
literal() is “ascii” instead of “utf-8”. (C) Double quotes are escaped as
“"” instead of “"”. Single quotes are escaped as “'”.
literal is used in a mixed expression containing both literals and
ordinary strings, it tries hard to escape the strings and return a literal.
However, this depends on which value has “control” of the expression.
literal seems to be able to take control with all combinations of the
operator, but with
join it must be on the left side of the
expression. So these all work:
"A" + literal("B") literal(", ").join(["A", literal("B")]) literal("%s %s") % (16, literal("kg"))
But these return an ordinary string which is prone to double-escaping later:
"\n".join([literal('<span class="foo">Foo!</span>'), literal('Bar!')]) "%s %s" % (literal("16"), literal("<em>kg</em>"))
Third-party libraries that don’t want to import
literal and thus avoid a
dependency on WebHelpers can add an
.__html__ method to any class, which
can return the same as
.__str__ or something else.
escape() trusts the
HTML method and does not escape the return value. So only strings that lack
.__html__ method will be escaped.
HTML object has the following methods for tag building:
Escape the string args, concatenate them, and return a literal. This is the same as
escape(s)but accepts multiple strings. Multiple args are useful when mixing child tags with text, such as:
html = HTML("The king is a >>", HTML.strong("fink"), "<<!")
- Same as
literalbut concatenates multiple arguments.
- Escape and concatenate the strings, and wrap the result in an HTML comment.
HTML.tag(tag, *content, **attrs)
Create an HTML tag
tagwith the keyword args converted to attributes. The other positional args become the content for the tag, and are escaped and concatenated. If an attribute name conflicts with a Python keyword (notably “class”), append an underscore. If an attribute value is
None, the attribute is not inserted. Two special keyword args are recognized:
- Specifies the content. This cannot be combined with content in positional args. The purpose of this argument is to position the content at the end of the argument list to match the native HTML syntax more closely. Its use is entirely optional. The value can be a string, a tuple, or a tag.
- If present and false, do not close the tag. Otherwise the tag will be closed with a closing tag or an XHTML-style trailing slash as described below.
- If present and true, insert a newline before the first content element, between each content element, and at the end of the tag.
>>> HTML.tag("a", href="http://www.yahoo.com", name=None, ... c="Click Here") literal(u'<a href="http://www.yahoo.com">Click Here</a>')
HTML.tagbut using attribute access. Example:
>>> HTML.a("Foo", href="http://example.com/", class_="important") literal(u'<a class="important" href="http://example.com/">Foo</a>')
Wrap the text in a “<![CDATA[ ... ]]>” section. Plain strings will not be escaped because CDATA itself is an escaping syntax.
>>> HTML.cdata(u"Foo") literal(u'<![CDATA[Foo]]>')
>>> HTML.cdata(u"<p>") literal(u'<![CDATA[<p>]]>')
About XHTML and HTML¶
This builder always produces tags that are valid as both HTML and XHTML.
“Void” tags – those which can never have content like
– are written like
<br />, with a space and a trailing
Only void tags get this treatment. The library will never, for
<script src="..." />, which is invalid HTML. Instead
it will produce
The W3C HTML validator validates these
constructs as valid HTML Strict. It does produce warnings, but those
warnings warn about the ambiguity if this same XML-style self-closing
tags are used for HTML elements that are allowed to take content (
<textarea>, etc). This library never produces markup like that.
Rather than add options to generate different kinds of behavior, we felt it was better to create markup that could be used in different contexts without any real problems and without the overhead of passing options around or maintaining different contexts, where you’d have to keep track of whether markup is being rendered in an HTML or XHTML context.
If you _really_ want tags without training slashes (e.g.,
<br>`)`, you can
abuse ``_closed=False to produce them.
literal(s, encoding=None, errors=strict')¶
Represents an HTML literal.
This subclass of unicode has a
.__html__()method that is detected by the
Also, if you add another string to this string, the other string will be quoted and you will get back another literal object. Also
literal(...) % objwill quote any value(s) from
obj. If you do something like
literal(...) + literal(...), neither string will be changed because
escape(literal(...))doesn’t change the original literal.
Changed in WebHelpers 1.2: the implementation is now now a subclass of
markupsafe.Markup. This brings some new methods:
Same as the
escapefunction but return the proper subclass in subclasses.
Unescape markup again into an text_type string. This also resolves known HTML4 and XHTML entities:
>>> Markup("Main » <em>About</em>").unescape() u'Main \xbb <em>About</em>'
Unescape markup into an text_type string and strip all tags. This also resolves known HTML4 and XHTML entities. Whitespace is normalized to one:
>>> Markup("Main » <em>About</em>").striptags() u'Main \xbb About'
Literal-safe version of re.sub. If the string to be operated on is a literal, return a literal result. All arguments are passed directly to
Urlencode the path portion of a URL. This is the same function as
urllib.quotein the Python standard library. It’s exported here with a name that’s easier to remember.
markupsafe package has a function
soft_unicode which converts a
string to Unicode if it’s not already. Unlike the Python builtin
it will not convert
literal) to plain Unicode, to avoid
overescaping. This is not included in WebHelpers but you may find it useful.