The html module. html.escape() is the canonical XSS sanitizer for writing user input into HTML text content. html.unescape() does the inverse and should NOT be used on output paths.
.escape()Sanitizerhtml.escape(s: str, quote: bool = True) -> str
Escapes &, <, > and optionally " and ' for HTML text. XSS sanitizer.
return.unescape()Neutralhtml.unescape(s: str) -> str
Converts HTML entities back to chars. Inverse of escape(). Not a sanitizer.
| FQN | Field | |
|---|---|---|
| html | fqns[0] | |
| html.parser | fqns[1] |
Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.
from codepathfinder.go_rule import PyHtml