From fbe3bdd8aae50a2086659cc62e982c3e3a5a46ae Mon Sep 17 00:00:00 2001 From: sadaszewski Date: Sun, 24 Aug 2025 17:37:56 +0200 Subject: [PATCH 1/5] Fix escaping --- htbuilder/__init__.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/htbuilder/__init__.py b/htbuilder/__init__.py index dd50be8..1594eef 100644 --- a/htbuilder/__init__.py +++ b/htbuilder/__init__.py @@ -53,6 +53,8 @@ from .units import unit from .utils import classes, fonts, rule, styles +from html import escape + EMPTY_ELEMENTS = set( [ # https://developer.mozilla.org/en-US/docs/Glossary/Empty_element @@ -143,13 +145,13 @@ def __getitem__(self, *children: Any): return self(children) def __str__(self) -> str: - children = "".join([str(c) for c in self._children]) + children = "".join([escape(c) if isinstance(c, str) else str(c) for c in self._children]) if self._tag is None: return children tag = _clean_name(self._tag) - attrs = " ".join([f'{_clean_name(k)}="{v}"' for k, v in self._attrs.items()]) + attrs = " ".join([f'{_clean_name(k)}="{escape(v)}"' for k, v in self._attrs.items()]) if self._cannot_have_children: if self._attrs: From 6628025e4c7b061d34846ad6812cb410d5bf50d0 Mon Sep 17 00:00:00 2001 From: sadaszewski Date: Sun, 24 Aug 2025 17:40:26 +0200 Subject: [PATCH 2/5] Update __init__.py --- htbuilder/__init__.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/htbuilder/__init__.py b/htbuilder/__init__.py index 1594eef..38d79c3 100644 --- a/htbuilder/__init__.py +++ b/htbuilder/__init__.py @@ -213,5 +213,5 @@ def _to_flat_list(obj: Any) -> Any: def __getattr__(tag: str) -> HtmlTag: if tag == "fragment": - return HtmlTag(tag) - return HtmlTag(None) + return HtmlTag(tag) + return HtmlTag(None) From dfd8eb7e836fee62967a1e2ca4a3c005e0d84993 Mon Sep 17 00:00:00 2001 From: sadaszewski Date: Sun, 24 Aug 2025 17:43:58 +0200 Subject: [PATCH 3/5] Update __init__.py --- htbuilder/__init__.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/htbuilder/__init__.py b/htbuilder/__init__.py index 38d79c3..7b53188 100644 --- a/htbuilder/__init__.py +++ b/htbuilder/__init__.py @@ -212,6 +212,4 @@ def _to_flat_list(obj: Any) -> Any: def __getattr__(tag: str) -> HtmlTag: - if tag == "fragment": - return HtmlTag(tag) - return HtmlTag(None) + return HtmlTag(tag) From 7a322f29c447e74bdc294b951b533ccf75bac8cc Mon Sep 17 00:00:00 2001 From: Stanislaw Adaszewski Date: Mon, 6 Oct 2025 11:13:05 +0200 Subject: [PATCH 4/5] Add dont_escape. --- htbuilder/__init__.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/htbuilder/__init__.py b/htbuilder/__init__.py index 7b53188..b9b1fef 100644 --- a/htbuilder/__init__.py +++ b/htbuilder/__init__.py @@ -211,5 +211,12 @@ def _to_flat_list(obj: Any) -> Any: return out +class dont_escape: + def __init__(self, s: str): + self.s = s + def __str__(self): + return self.s + + def __getattr__(tag: str) -> HtmlTag: return HtmlTag(tag) From 935b5b0ccf409aa9355d9b3edfd51dee3f806d0c Mon Sep 17 00:00:00 2001 From: Stanislaw Adaszewski Date: Tue, 7 Oct 2025 09:34:17 +0200 Subject: [PATCH 5/5] Fix attribute cast to str. --- htbuilder/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htbuilder/__init__.py b/htbuilder/__init__.py index b9b1fef..44e87c9 100644 --- a/htbuilder/__init__.py +++ b/htbuilder/__init__.py @@ -151,7 +151,7 @@ def __str__(self) -> str: return children tag = _clean_name(self._tag) - attrs = " ".join([f'{_clean_name(k)}="{escape(v)}"' for k, v in self._attrs.items()]) + attrs = " ".join([f'{_clean_name(k)}="{escape(str(v))}"' for k, v in self._attrs.items()]) if self._cannot_have_children: if self._attrs: