Then you need to escape the escape sequence.

We may have a dot and to really mean the dot,

That's going to be anything that's not a double quote or a backslash.

But what if you want to literally have a backslash?

Escape

Okay. And this is what we get

The only thing you really have to keep in mind is you have to escape characters that are particular to a regular expression.

This is the basis for cross site scripting.

Here I have our rule for beginning the tokenization of JavaScript.

Benny's not here. I think he went AWOL.

Okay, I'm going to submit this.

Here is the input that doesn't work properly.

That gets put here. Jinja has a syntax called safe.

Why is that?

It inherits some base HTML, and it redefines the content block to basically render one blog.

It's either escaped like we have here or it's just a character by itself all the other letters.

And, here's one thing to look out for.

If we were to look at the source for this page, you can see what we typed in has all been escaped using HTML escaping, which is not exactly what we intended.

If I didn't have this safe here, Jinja 2 would automatically because of the way I configured it when we set it up would escape everything.

Where have those six got to? They've escaped.

On the left is what you'd have to say to Python and on the right is what it means.

They turn into tags.

Now I want to match immediately an opening parenthesis.

Do I trust the user?

As it turns out, this function is already included in Python cgi.escape (s, quote True)

If you escape your HTML, you don't have to worry about it.

By this means, options can be made to have different settings in different parts of theBy this means, options can be made to have different settings in different parts of the pattern.

Escape response

That's pretty simple.

And, as you can see, it works just the same hello, amp blah, blah, blah, blah blah.

If I were to view the source of this file, which you can do in Chrome easily, we can see what happened.

This basically when you accept data from a user, and you're displaying it in your webpage, and you're not escaping it.

All of this looks like 3 characters. It's really just 2.

So another way of writing this function is just to use the cgi module that is included with Python, and let's give this a shot.

I'm going to get rid of these quotes and use single quotes instead so we can test the escaping of those.

When we were escaping, I saw this room.

Heredoc text behaves just like a double quoted string, without the double quotes.

A comment begins with the slash and the star, which is indicated right here.

Actually what we did is we allowed links and image, and then we broke all other HTML.

So what we're going to do is we're in our write_form function when we print out values that came from the user, we want to make sure they're Escaped so we want to call it on everything that came from the user.

But the nicest way to fix this is through a method called Escaping hence, the title of this page.

This is a well formed, well balanced string literal with double quotes and some escaped double quotes.

Instead of including a ( ), we convert it to ( amp quot ) and we can also Escape angled brackets.

Any regular expression starts with r' or r .

Now we can check for that, and there's a couple of ways to go around this.