Skip to main content

Module css

contextual_encoder

Module css

Expand description

CSS contextual output encoders.

provides two encoding contexts:

for_css_string — safe for CSS string values (inside quotes)
for_css_url — safe for CSS url() values

both use CSS hex escape syntax (\XX) with a trailing space appended when the next character could be misinterpreted as part of the hex value.

§security notes

CSS string values must be quoted. these encoders produce output safe inside "..." or '...' delimiters.
these encoders do not validate CSS property names, selectors, or expressions. encoding cannot make arbitrary CSS safe — validate the structure separately.
for url() values, the URL itself must be validated (scheme whitelist, etc.) before encoding. encoding only prevents syntax breakout.

Functions§

for_css_string: encodes input for safe embedding in a quoted CSS string value.
for_css_url: encodes input for safe embedding in a CSS url() value.
write_css_string: writes the CSS-string-encoded form of input to out.
write_css_url: writes the CSS-url-encoded form of input to out.