From paul at boddie.org.uk  Wed Dec 20 11:08:21 2017
From: paul at boddie.org.uk (Paul Boddie)
Date: Wed, 20 Dec 2017 17:08:21 +0100
Subject: [moin-devel] [PATCH] Decoupled wikiutil.escape from Werkzeug to
 restore correct behaviour
Message-ID: <82ecd3791e2021d6f981.1513786101@jeremy>

# HG changeset patch
# User Paul Boddie <paul at boddie.org.uk>
# Date 1513785875 -3600
# Node ID 82ecd3791e2021d6f981c0751a249b0baade9ef2
# Parent  e8dbc447d3abdfeeea7028922eb4c7e3db5b9e1c
Decoupled wikiutil.escape from Werkzeug to restore correct behaviour.

Werkzeug has changed the behaviour of its escape function to escape quotation
marks regardless of the value of the quote parameter. This causes inappropriate
double-escaping in some formatted output, such as in the production of table
presentation attributes.

This change restores the previous behaviour, making use of the cgi.escape
library function whose functionality was previously duplicated in Moin to
apparently avoid its use.

diff -r e8dbc447d3ab -r 82ecd3791e20 MoinMoin/parser/_tests/test_text_moin_wiki.py
--- a/MoinMoin/parser/_tests/test_text_moin_wiki.py	Wed Nov 29 15:51:48 2017 +0100
+++ b/MoinMoin/parser/_tests/test_text_moin_wiki.py	Wed Dec 20 17:04:35 2017 +0100
@@ -338,7 +338,7 @@
         self.do(test)
 
     def do(self, test):
-        expected = r'&lt;tablewidth=&quot;80&quot;&gt;'
+        expected = r'&lt;tablewidth="80"&gt;'
         result = self.parse(test)
         assert re.search(expected, result)
 
diff -r e8dbc447d3ab -r 82ecd3791e20 MoinMoin/wikiutil.py
--- a/MoinMoin/wikiutil.py	Wed Nov 29 15:51:48 2017 +0100
+++ b/MoinMoin/wikiutil.py	Wed Dec 20 17:04:35 2017 +0100
@@ -177,7 +177,10 @@
     return werkzeug.url_quote(pagename, charset=charset, safe='/')
 
 
-escape = werkzeug.escape
+def escape(s, quote=None):
+    if not isinstance(s, (str, unicode)):
+        s = str(s)
+    return cgi.escape(s, quote)
 
 
 def clean_input(text, max_len=201):