escape quotes

keithasaurus · Nov 28, 2023 · c313f2e · c313f2e
1 parent 131f2e2
commit c313f2e
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 5 deletions.
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "simple-html"
-version = "1.1.0"
+version = "1.1.1"
 readme = "README.md"
 description = "Template-less html rendering in Python"
 authors = ["Keith Philpott <[email protected]>"]

diff --git a/simple_html/__init__.py b/simple_html/__init__.py
@@ -80,7 +80,7 @@ def __hash__(self) -> int:
 
 def escape_attribute_key(k: str) -> str:
     return (
-        escape(k)
+        escape(k, True)
         .replace("=", "&#x3D;")
         .replace("\\", "&#x5C;")
         .replace("`", "&#x60;")
@@ -121,7 +121,7 @@ def __call__(
                         else escape_attribute_key(key)
                     )
                 if isinstance(val, str):
-                    attrs += f' {key}="{escape(val)}"'
+                    attrs += f' {key}="{escape(val, True)}"'
                 elif isinstance(val, SafeString):
                     attrs += f' {key}="{val.safe_str}"'
                 elif val is None:

diff --git a/tests/test_simple_html.py b/tests/test_simple_html.py
@@ -186,8 +186,8 @@ def test_render_with_escaped_attributes() -> None:
         == '<div onmousenter&#x3D;&quot;alert(1)&quot;&nbsp;noop="1"></div>'
     )
     assert (
-        render(span({"<script></script>": ">"}))
-        == '<span &lt;script&gt;&lt;/script&gt;="&gt;"></span>'
+        render(span({"<script>\"</script>": "\">"}))
+        == '<span &lt;script&gt;&quot;&lt;/script&gt;="&quot;&gt;"></span>'
     )
     # vals and keys escape slightly differently
     assert (