Expand description
HTML / XML contextual output encoders.
provides four encoding contexts with different safety guarantees:
for_html— safe for both text content and quoted attributes (most conservative)for_html_content— safe for text content only (does not encode quotes)for_html_attribute— safe for quoted attributes only (does not encode>)for_html_unquoted_attribute— safe for unquoted attribute values (most aggressive)
all encoders replace invalid XML characters (C0/C1 controls, DEL, unicode non-characters) with a replacement character (space or dash depending on context).
§security notes
- these encoders produce output safe for embedding in the specified context. they do not sanitize HTML — encoding is not a substitute for input validation.
- never use
for_html_contentoutput in an attribute context. - never use
for_html_attributeoutput in a text content context where>matters. for_htmlis the safe default when the exact context is unknown.- tag names, attribute names, and event handler names must be validated separately — encoding cannot make arbitrary names safe.
Functions§
- for_
html - encodes
inputfor safe embedding in HTML text content and quoted attributes. - for_
html_ attribute - encodes
inputfor safe embedding in a quoted HTML attribute value. - for_
html_ content - encodes
inputfor safe embedding in HTML text content. - for_
html_ unquoted_ attribute - encodes
inputfor safe embedding in an unquoted HTML attribute value. - write_
html - writes the HTML-encoded form of
inputtoout. - write_
html_ attribute - writes the HTML-attribute-encoded form of
inputtoout. - write_
html_ content - writes the HTML-content-encoded form of
inputtoout. - write_
html_ unquoted_ attribute - writes the unquoted-HTML-attribute-encoded form of
inputtoout.