Skip to content

Commit

Permalink
Move html_escape_url to utils
Browse files Browse the repository at this point in the history
  • Loading branch information
Einenlum committed Jun 16, 2022
1 parent 5b31a6e commit 7f58bc2
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 15 deletions.
20 changes: 5 additions & 15 deletions lib/markdown2.py
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,7 @@
hr_tag_re_from_tab_width,
xml_escape_attr,
xml_encode_email_char_at_random,
html_escape_url,
)

# ---- globals
Expand Down Expand Up @@ -1511,7 +1512,7 @@ def _do_links(self, text):
if is_img:
img_class_str = self._html_class_str_from_tag("img")
result = '<img src="%s" alt="%s"%s%s%s' \
% (_html_escape_url(url, safe_mode=self.safe_mode),
% (html_escape_url(url, safe_mode=self.safe_mode),
xml_escape_attr(_AMPERSAND_RE, link_text),
title_str,
img_class_str,
Expand All @@ -1525,7 +1526,7 @@ def _do_links(self, text):
if self.safe_mode and not safe_link:
result_head = '<a href="#"%s>' % (title_str)
else:
result_head = '<a href="%s"%s>' % (_html_escape_url(url, safe_mode=self.safe_mode), title_str)
result_head = '<a href="%s"%s>' % (html_escape_url(url, safe_mode=self.safe_mode), title_str)
result = '%s%s</a>' % (result_head, link_text)
if "smarty-pants" in self.extras:
result = result.replace('"', self._escape_table['"'])
Expand Down Expand Up @@ -1567,7 +1568,7 @@ def _do_links(self, text):
if is_img:
img_class_str = self._html_class_str_from_tag("img")
result = '<img src="%s" alt="%s"%s%s%s' \
% (_html_escape_url(url, safe_mode=self.safe_mode),
% (html_escape_url(url, safe_mode=self.safe_mode),
xml_escape_attr(_AMPERSAND_RE, link_text),
title_str,
img_class_str,
Expand All @@ -1580,7 +1581,7 @@ def _do_links(self, text):
if self.safe_mode and not self._safe_protocols.match(url):
result_head = '<a href="#"%s>' % (title_str)
else:
result_head = '<a href="%s"%s>' % (_html_escape_url(url, safe_mode=self.safe_mode), title_str)
result_head = '<a href="%s"%s>' % (html_escape_url(url, safe_mode=self.safe_mode), title_str)
result = '%s%s</a>' % (result_head, link_text)
if "smarty-pants" in self.extras:
result = result.replace('"', self._escape_table['"'])
Expand Down Expand Up @@ -2483,17 +2484,6 @@ class UnicodeWithAttrs(str):
toc_html = None


def _html_escape_url(attr, safe_mode=False):
"""Replace special characters that are potentially malicious in url string."""
escaped = (attr
.replace('"', '&quot;')
.replace('<', '&lt;')
.replace('>', '&gt;'))
if safe_mode:
escaped = escaped.replace('+', ' ')
escaped = escaped.replace("'", "&#39;")
return escaped


# ---- mainline

Expand Down
12 changes: 12 additions & 0 deletions lib/utils.py
Original file line number Diff line number Diff line change
Expand Up @@ -307,3 +307,15 @@ def xml_encode_email_char_at_random(ch):
return "&#%s;" % hex(ord(ch))[1:]
else:
return "&#%s;" % ord(ch)


def html_escape_url(attr, safe_mode=False):
"""Replace special characters that are potentially malicious in url string."""
escaped = (attr
.replace('"', '&quot;')
.replace('<', '&lt;')
.replace('>', '&gt;'))
if safe_mode:
escaped = escaped.replace('+', ' ')
escaped = escaped.replace("'", "&#39;")
return escaped

0 comments on commit 7f58bc2

Please sign in to comment.