Mako ¶

Mako is a non-XML template library.

Escaping¶

Mako has four escaping filters with web output in mind: HTML, HTML entity, XML, and URL escaping. All are defined in Mako's filters.py.

Automatic Escaping¶

To apply escaping to a large amount of code, you must use the default_filters parameter when initializing your TemplateLookup or Template object.

HTML Escaping¶

HTML escaping is invoked by the |h filter.

In Mako 0.3.3, the actual escaping is done by cgi's escape method:

22 def html_escape(string):
23     return cgi.escape(string, True)

In Mako 0.3.4, the actual escaping is done by MarkupSafe's escape method. See the wiki page of MarkupSafe for details.

HTML Entity Escaping¶

HTML entity escaping is invoked by the |entity filter. Mako has its own scheme for HTML entity escaping that requires further scrutiny.

XML Escaping¶

Mako has its own XML escaping routine that replaces the five key characters (&, >, <, ", and '). It's invoked by the |x filter.

XML escaping code from 0.3.4:

12 xml_escapes = {
13     '&' : '&',
14     '>' : '>', 
15     '<' : '&lt;', 
16     '"' : '&#34;',   # also &quot; in html-only
17     "'" : '&#39;'    # also &apos; in html-only    
18 }
19 # XXX: &quot; is valid in HTML and XML
20 #      &apos; is not valid HTML, but is valid XML
...
25 def xml_escape(string):
26     return re.sub(r'([&<"\'>])', lambda m: xml_escapes[m.group()], string)

URL Escaping¶

URL escaping is invoked by the |u filter. The actual escaping is done by urllib's quote_plus method.

28 def url_escape(string):
29     # convert into a list of octets
30     string = string.encode("utf8")
31     return urllib.quote_plus(string)

---

• Version: latest
• Edited by Craig Younkins on 6/23/10 9:23 AM
• History
• Edit

Wiki content is available under a Creative Commons 3.0 License.