Escaping strings for use in XML

python security xml escaping

Solution 1:

Something like this?

>>> from xml.sax.saxutils import escape
>>> escape("< & >")   
'&lt; &amp; &gt;'

Solution 2:

xml.sax.saxutils does not escape quotation characters (")

So here is another one:

def escape( str ):
    str = str.replace("&", "&amp;")
    str = str.replace("<", "&lt;")
    str = str.replace(">", "&gt;")
    str = str.replace("\"", "&quot;")
    return str

if you look it up then xml.sax.saxutils only does string replace

Solution 3:

xml.sax.saxutils.escape only escapes &, <, and > by default, but it does provide an entities parameter to additionally escape other strings:

from xml.sax.saxutils import escape

def xmlescape(data):
    return escape(data, entities={
        "'": "&apos;",
        "\"": "&quot;"
    })

xml.sax.saxutils.escape uses str.replace() internally, so you can also skip the import and write your own function, as shown in MichealMoser's answer.

Solution 4:

Do you mean you do something like this:

from xml.dom.minidom import Text, Element

t = Text()
e = Element('p')

t.data = '<bar><a/><baz spam="eggs"> & blabla &entity;</>'
e.appendChild(t)

Then you will get nicely escaped XML string:

>>> e.toxml()
'<p>&lt;bar&gt;&lt;a/&gt;&lt;baz spam=&quot;eggs&quot;&gt; &amp; blabla &amp;entity;&lt;/&gt;</p>'

Related

Laravel 5 controller sending JSON integer as string
Try Catch cannot work with require_once in PHP?
library is linked but reference is undefined
npm ERR! code Z_BUF_ERROR when install
Reaching 100% Code Coverage with PHPUnit
How do I compute the non-client window size in WPF?
PL/SQL print out ref cursor returned by a stored procedure
Android Device phone call ability
Blinking Text in android view
How to detect horizontal scrolling in jQuery?
Print a float number in normal form, not exponential form / scientific notation [duplicate]
PHP equivalent of friend or internal