#2830: add html.escape() helper and move cgi.escape() uses in the standard library to it. It defaults to quote=True and also escapes single quotes, which makes casual use safer. The cgi.escape() interface is not touched, but emits a (silent) PendingDeprecationWarning.
diff --git a/Misc/NEWS b/Misc/NEWS
index a87dacf..abba90d 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -24,6 +24,9 @@
Library
-------
+- Issue #2830: Add the ``html.escape()`` function, which quotes all problematic
+ characters by default. Deprecate ``cgi.escape()``.
+
- Issue 9409: Fix the regex to match all kind of filenames, for interactive
debugging in doctests.