#2830: add html.escape() helper and move cgi.escape() uses in the standard library to it. It defaults to quote=True and also escapes single quotes, which makes casual use safer. The cgi.escape() interface is not touched, but emits a (silent) PendingDeprecationWarning.

2025-08-03 08:34:29 +00:00 · 2010-10-15 15:57:45 +00:00 · 2010-10-15 15:57:45 +00:00 · 1f7fffb308
commit 1f7fffb308
parent 70543acfa1
11 changed files with 94 additions and 28 deletions
--- a/Lib/http/server.py
+++ b/Lib/http/server.py
@ -84,7 +84,7 @@ __version__ = "0.6"

 __all__ = ["HTTPServer", "BaseHTTPRequestHandler"]

-import cgi
+import html
 import email.message
 import email.parser
 import http.client
@ -705,7 +705,7 @@ class SimpleHTTPRequestHandler(BaseHTTPRequestHandler):
            return None
        list.sort(key=lambda a: a.lower())
        r = []
-        displaypath = cgi.escape(urllib.parse.unquote(self.path))
+        displaypath = html.escape(urllib.parse.unquote(self.path))
        r.append('<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">')
        r.append("<html>\n<title>Directory listing for %s</title>\n" % displaypath)
        r.append("<body>\n<h2>Directory listing for %s</h2>\n" % displaypath)
@ -721,7 +721,7 @@ class SimpleHTTPRequestHandler(BaseHTTPRequestHandler):
                displayname = name + "@"
                # Note: a link to a directory displays with @ and links with /
            r.append('<li><a href="%s">%s</a>\n'
-                    % (urllib.parse.quote(linkname), cgi.escape(displayname)))
+                    % (urllib.parse.quote(linkname), html.escape(displayname)))
        r.append("</ul>\n<hr>\n</body>\n</html>\n")
        enc = sys.getfilesystemencoding()
        encoded = ''.join(r).encode(enc)