#2830: add html.escape() helper and move cgi.escape() uses in the standard library to it. It defaults to quote=True and also escapes single quotes, which makes casual use safer. The cgi.escape() interface is not touched, but emits a (silent) PendingDeprecationWarning.
diff --git a/Doc/library/cgi.rst b/Doc/library/cgi.rst
index 49d1488..8c75517 100644
--- a/Doc/library/cgi.rst
+++ b/Doc/library/cgi.rst
@@ -328,9 +328,9 @@
attribute value delimited by double quotes, as in ``<a href="...">``. Note
that single quotes are never translated.
- If the value to be quoted might include single- or double-quote characters,
- or both, consider using the :func:`~xml.sax.saxutils.quoteattr` function in the
- :mod:`xml.sax.saxutils` module instead.
+ .. deprecated:: 3.2
+ This function is unsafe because *quote* is false by default, and therefore
+ deprecated. Use :func:`html.escape` instead.
.. _cgi-security:
@@ -508,8 +508,8 @@
.. rubric:: Footnotes
-.. [#] Note that some recent versions of the HTML specification do state what order the
- field values should be supplied in, but knowing whether a request was
- received from a conforming browser, or even from a browser at all, is tedious
- and error-prone.
+.. [#] Note that some recent versions of the HTML specification do state what
+ order the field values should be supplied in, but knowing whether a request
+ was received from a conforming browser, or even from a browser at all, is
+ tedious and error-prone.