From 08369521f135175141775c1b4f812b49a1fcc27d Mon Sep 17 00:00:00 2001
From: Waylan Limberg <waylan@gmail.com>
Date: Mon, 5 Nov 2007 05:02:42 +0000
Subject: Added html escaping as an optional behavior to the default of
 removing html in safe_mode.

---
 markdown.py | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

(limited to 'markdown.py')

diff --git a/markdown.py b/markdown.py
index c150b1f..6b7b09f 100644
--- a/markdown.py
+++ b/markdown.py
@@ -47,7 +47,7 @@ TAB_LENGTH = 4            # expand tabs to this many spaces
 ENABLE_ATTRIBUTES = True  # @id = xyz -> <... id="xyz">
 SMART_EMPHASIS = 1        # this_or_that does not become this<i>or</i>that
 HTML_REMOVED_TEXT = "[HTML_REMOVED]" # text used instead of HTML in safe mode
-
+                                     # If blank, html will be escaped.
 RTL_BIDI_RANGES = ( (u'\u0590', u'\u07FF'),
                     # from Hebrew to Nko (includes Arabic, Syriac and Thaana)
                     (u'\u2D30', u'\u2D7F'),
@@ -913,13 +913,23 @@ class RawHtmlTextPostprocessor(Postprocessor) :
         for i in range(self.stash.html_counter) :
             html, safe  = self.stash.rawHtmlBlocks[i]
             if self.safeMode and not safe:
-                html = HTML_REMOVED_TEXT
+                if HTML_REMOVED_TEXT:
+                    html = HTML_REMOVED_TEXT
+                else:
+                    html = self.escape(html)
                 
             text = text.replace("<p>%s\n</p>" % (HTML_PLACEHOLDER % i),
                               html + "\n")
             text =  text.replace(HTML_PLACEHOLDER % i, html)
         return text
 
+    def escape(self, html):
+        ''' Basic html escaping '''
+        html = html.replace('&', '&amp;')
+        html = html.replace('<', '&lt;')
+        html = html.replace('>', '&gt;')
+        return html.replace('"', '&quot;')
+
 RAWHTMLTEXTPOSTPROCESSOR = RawHtmlTextPostprocessor()
 
 """
-- 
cgit v1.2.3