From 18009342850e71775e7ebac7b6a743fbe3265c78 Mon Sep 17 00:00:00 2001 From: Georg Brandl <georg@python.org> Date: Mon, 2 Aug 2010 21:51:18 +0000 Subject: [PATCH] #9061: warn that single quotes are never escaped. --- Doc/library/cgi.rst | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/Doc/library/cgi.rst b/Doc/library/cgi.rst index 17482d70de7..cfc695353a7 100644 --- a/Doc/library/cgi.rst +++ b/Doc/library/cgi.rst @@ -324,10 +324,13 @@ algorithms implemented in this module in other circumstances. Convert the characters ``'&'``, ``'<'`` and ``'>'`` in string *s* to HTML-safe sequences. Use this if you need to display text that might contain such characters in HTML. If the optional flag *quote* is true, the quotation mark - character (``'"'``) is also translated; this helps for inclusion in an HTML - attribute value, as in ``<A HREF="...">``. If the value to be quoted might - include single- or double-quote characters, or both, consider using the - :func:`quoteattr` function in the :mod:`xml.sax.saxutils` module instead. + character (``"``) is also translated; this helps for inclusion in an HTML + attribute value delimited by double quotes, as in ``<a href="...">``. Note + that single quotes are never translated. + + If the value to be quoted might include single- or double-quote characters, + or both, consider using the :func:`quoteattr` function in the + :mod:`xml.sax.saxutils` module instead. .. _cgi-security: -- 2.30.9