[XML-SIG] escaping ' or " in attributes

Mike Brown mike at skew.org
Sun Nov 14 22:45:02 CET 2004

Hefferon9 at aol.com wrote:
> 1) What is the canonical way to escape the quotes inside of an  attribute?  I 
> have a cgi script, and may be getting things from users  that I want to stuff 
> inside of the attributes.  That is, I have code  like this: 
>   favoriteFood=fs.getfirst('favoriteFood')  # fs is a  cgi.FieldStorage 
> structure
>   attrDct={'favoriteFood':favoriteFood}
> and I'm afraid I'll get "Mama's" for an answer, giving me XML  like
>   <choice favoriteFood='Mama's' />
> (likewise, "Ben & Jerry's" gives me worries)  I've cast about  for what I 
> thought were likely names, but didn't find any  .  

Depends on how you're creating the X(HT)ML. If you're just doing
prints then of course you will need to do your own replacements.

I suggest you read Uche Ogbuji's article on xml.com entitled
"Proper XML Output In Python"  (Google for it)

One thing you should note is that XML has an "apos" entity, but HTML does not. 
Therefore if you are intending to generate HTML 4.0 browser compatible XHTML 
(as it appears you are), then you need to use "&#39;" instead of "&apos;" when 
putting an apostrophe/single-quote in an attribute value that is delimited by 
those same characters.

More information about the XML-SIG mailing list