{
  "id": "django__django-11276",
  "question": "Use Python stdlib html.escape() to in django.utils.html.escape()\nDescription\n\t\nThe function django.utils.html.escape() partially duplicates the Python stdlib function html.escape(). We can replace this duplication with wider community developed version.\nhtml.escape() has been available since Python 3.2:\n​https://docs.python.org/3/library/html.html#html.escape\nThis function is also faster than Django's. As Python bug ​https://bugs.python.org/issue18020 concludes, using .replace() can be faster than .translate(). This function gets called numerous times when rendering templates. After making the change locally, I saw the following improvement:\nmaster:\n$ python -m timeit -s 'from django.utils.html import escape' 'escape(copyright)'\n50000 loops, best of 5: 4.03 usec per loop\nbranch:\n$ python -m timeit -s 'from django.utils.html import escape' 'escape(copyright)'\n100000 loops, best of 5: 2.45 usec per loop\nOne small concern, html.escape() converts ' to &#x27 rather than &#39. These values are functionally equivalent HTML, but I'll mention it as a backwards incompatible change as the literal text has changed\n",
  "answer": "{\"task_id\": \"7d3c988b-5588-415a-9236-26af58a3f8b5\", \"workflow_run_id\": \"8405604b-0da1-4e6e-80ed-bd3a1076ca59\", \"data\": {\"id\": \"8405604b-0da1-4e6e-80ed-bd3a1076ca59\", \"workflow_id\": \"9a0a6efa-4d15-4876-b13f-4fb6a999caa2\", \"status\": \"succeeded\", \"outputs\": {\"final_patch\": [\"--- a/django/utils/html.py\\n+++ b/django/utils/html.py\\n@@ -1,6 +1,7 @@\\n \\\"\\\"\\\"HTML utilities suitable for global use.\\\"\\\"\\\"\\n \\n import html\\n+import html as html_stdlib\\n import json\\n import re\\n from html.parser import HTMLParser\\n@@ -12,19 +13,8 @@ from django.utils.safestring import SafeData, mark_safe\\n \\n \\n def escape(text):\\n-    \\\"\\\"\\\"\\n-    Return the given text with ampersands, quotes and angle brackets encoded\\n-    for use in HTML.\\n-\\n-    Always escape input, even if it's already escaped and marked as such.\\n-    This may result in double-escaping. If this is a concern, use\\n-    conditional_escape() instead.\\n-    \\\"\\\"\\\"\\n-    return (\\n-        str(text)\\n-        .replace(\\\"&\\\", \\\"&amp;\\\")\\n-        .replace(\\\"<\\\", \\\"&lt;\\\")\\n-        .replace(\\\">\\\", \\\"&gt;\\\")\\n-        .replace('\\\"', \\\"&quot;\\\")\\n-        .replace(\\\"'\\\", \\\"&#x27;\\\")\\n-    )\\n+    \\\"\\\"\\\"Return the given text with HTML entities escaped.\\\"\\\"\\\"\\n+    return html_stdlib.escape(str(text), quote=True)\", \"--- a/django/utils/html.py\\n+++ b/django/utils/html.py\\n@@ -12,19 +12,12 @@ from django.utils.safestring import SafeData, mark_safe\\n \\n \\n def escape(text):\\n     \\\"\\\"\\\"\\n-    Return the given text with ampersands, quotes and angle brackets encoded\\n+    Return the given text with ampersands, quotes and angle brackets encoded\\n     for use in HTML.\\n \\n     Always escape input, even if it's already escaped and marked as such.\\n     This may result in double-escaping. If this is a concern, use\\n     conditional_escape() instead.\\n     \\\"\\\"\\\"\\n-    return (\\n-        str(text)\\n-        .replace(\\\"&\\\", \\\"&amp;\\\")\\n-        .replace(\\\"<\\\", \\\"&lt;\\\")\\n-        .replace(\\\">\\\", \\\"&gt;\\\")\\n-        .replace('\\\"', \\\"&quot;\\\")\\n-        .replace(\\\"'\\\", \\\"&#x27;\\\")\\n-    )\\n+    return html.escape(str(text), quote=True)\", \"--- a/django/utils/html.py\\n+++ b/django/utils/html.py\\n@@ -12,19 +12,14 @@ from django.utils.safestring import SafeData, mark_safe\\n \\n \\n def escape(text):\\n     \\\"\\\"\\\"\\n     Return the given text with ampersands, quotes and angle brackets encoded\\n     for use in HTML.\\n \\n     Always escape input, even if it's already escaped and marked as such.\\n     This may result in double-escaping. If this is a concern, use\\n     conditional_escape() instead.\\n+    \\n+    Note: Single quotes are escaped as &#x27; (not &#39;) for compatibility\\n+    with the Python standard library html.escape().\\n     \\\"\\\"\\\"\\n-    return (\\n-        str(text)\\n-        .replace(\\\"&\\\", \\\"&amp;\\\")\\n-        .replace(\\\"<\\\", \\\"&lt;\\\")\\n-        .replace(\\\">\\\", \\\"&gt;\\\")\\n-        .replace('\\\"', \\\"&quot;\\\")\\n-        .replace(\\\"'\\\", \\\"&#x27;\\\")\\n-    )\\n+    return html.escape(str(text), quote=True)\", \"--- a/django/utils/html.py\\n+++ b/django/utils/html.py\\n@@ -12,19 +12,8 @@ from django.utils.safestring import SafeData, mark_safe\\n \\n \\n def escape(text):\\n     \\\"\\\"\\\"\\n-    Return the given text with ampersands, quotes and angle brackets encoded\\n+    Return the given text with ampersands, quotes and angle brackets encoded\\n     for use in HTML.\\n \\n     Always escape input, even if it's already escaped and marked as such.\\n     This may result in double-escaping. If this is a concern, use\\n     conditional_escape() instead.\\n     \\\"\\\"\\\"\\n-    return (\\n-        str(text)\\n-        .replace(\\\"&\\\", \\\"&amp;\\\")\\n-        .replace(\\\"<\\\", \\\"&lt;\\\")\\n-        .replace(\\\">\\\", \\\"&gt;\\\")\\n-        .replace('\\\"', \\\"&quot;\\\")\\n-        .replace(\\\"'\\\", \\\"&#x27;\\\")\\n-    )\\n+    return html.escape(str(text), quote=True)\\n--- a/tests/utils_tests/test_html.py\\n+++ b/tests/utils_tests/test_html.py\\n@@ -42,7 +42,7 @@ class HtmlUtilsTests(SimpleTestCase):\\n     def test_escape(self):\\n         items = (\\n             ('&', '&amp;'),\\n             ('<', '&lt;'),\\n             ('>', '&gt;'),\\n             ('\\\"', '&quot;'),\\n-            (\\\"'\\\", '&#x27;'),\\n+            (\\\"'\\\", '&#x27;'),  # html.escape uses &#x27; not &#39;\\n         )\\n         # Substitution patterns.\\n         for value, output in items:\", \"--- a/django/utils/html.py\\n+++ b/django/utils/html.py\\n@@ -15,16 +15,5 @@ def escape(text):\\n     \\\"\\\"\\\"\\n     Return the given text with ampersands, quotes and angle brackets encoded\\n     for use in HTML.\\n \\n     Always escape input, even if it's already escaped and marked as such.\\n     This may result in double-escaping. If this is a concern, use\\n     conditional_escape() instead.\\n     \\\"\\\"\\\"\\n-    return (\\n-        str(text)\\n-        .replace(\\\"&\\\", \\\"&amp;\\\")\\n-        .replace(\\\"<\\\", \\\"&lt;\\\")\\n-        .replace(\\\">\\\", \\\"&gt;\\\")\\n-        .replace('\\\"', \\\"&quot;\\\")\\n-        .replace(\\\"'\\\", \\\"&#x27;\\\")\\n-    )\\n+    # Use Python's standard library html.escape for better performance\\n+    return html.escape(str(text), quote=True)\", \"diff\\n--- a/django/utils/html.py\\n+++ b/django/utils/html.py\\n@@ -12,19 +12,14 @@ from django.utils.safestring import SafeData, mark_safe\\n \\n \\n def escape(text):\\n     \\\"\\\"\\\"\\n     Return the given text with ampersands, quotes and angle brackets encoded\\n     for use in HTML.\\n \\n     Always escape input, even if it's already escaped and marked as such.\\n     This may result in double-escaping. If this is a concern, use\\n     conditional_escape() instead.\\n+    \\n+    Note: Single quotes are escaped as &#x27; (not &#39;) for compatibility\\n+    with the Python standard library html.escape().\\n     \\\"\\\"\\\"\\n-    return (\\n-        str(text)\\n-        .replace(\\\"&\\\", \\\"&amp;\\\")\\n-        .replace(\\\"<\\\", \\\"&lt;\\\")\\n-        .replace(\\\">\\\", \\\"&gt;\\\")\\n-        .replace('\\\"', \\\"&quot;\\\")\\n-        .replace(\\\"'\\\", \\\"&#x27;\\\")\\n-    )\\n+    return html.escape(str(text), quote=True)\\n\", \"diff\\n--- a/django/utils/html.py\\n+++ b/django/utils/html.py\\n@@ -12,19 +12,14 @@ from django.utils.safestring import SafeData, mark_safe\\n \\n \\n def escape(text):\\n     \\\"\\\"\\\"\\n     Return the given text with ampersands, quotes and angle brackets encoded\\n     for use in HTML.\\n \\n     Always escape input, even if it's already escaped and marked as such.\\n     This may result in double-escaping. If this is a concern, use\\n     conditional_escape() instead.\\n+    \\n+    Note: Single quotes are escaped as &#x27; (not &#39;) for compatibility\\n+    with the Python standard library html.escape().\\n     \\\"\\\"\\\"\\n-    return (\\n-        str(text)\\n-        .replace(\\\"&\\\", \\\"&amp;\\\")\\n-        .replace(\\\"<\\\", \\\"&lt;\\\")\\n-        .replace(\\\">\\\", \\\"&gt;\\\")\\n-        .replace('\\\"', \\\"&quot;\\\")\\n-        .replace(\\\"'\\\", \\\"&#x27;\\\")\\n-    )\\n+    return html.escape(str(text), quote=True)\\n\", \"diff\\n--- a/django/utils/html.py\\n+++ b/django/utils/html.py\\n@@ -12,19 +12,14 @@ from django.utils.safestring import SafeData, mark_safe\\n \\n \\n def escape(text):\\n     \\\"\\\"\\\"\\n     Return the given text with ampersands, quotes and angle brackets encoded\\n     for use in HTML.\\n \\n     Always escape input, even if it's already escaped and marked as such.\\n     This may result in double-escaping. If this is a concern, use\\n     conditional_escape() instead.\\n+    \\n+    Note: Single quotes are escaped as &#x27; (not &#39;) for compatibility\\n+    with the Python standard library html.escape().\\n     \\\"\\\"\\\"\\n-    return (\\n-        str(text)\\n-        .replace(\\\"&\\\", \\\"&amp;\\\")\\n-        .replace(\\\"<\\\", \\\"&lt;\\\")\\n-        .replace(\\\">\\\", \\\"&gt;\\\")\\n-        .replace('\\\"', \\\"&quot;\\\")\\n-        .replace(\\\"'\\\", \\\"&#x27;\\\")\\n-    )\\n+    return html.escape(str(text), quote=True)\\n\"]}, \"error\": \"\", \"elapsed_time\": 88.16338, \"total_tokens\": 39063, \"total_steps\": 30, \"created_at\": 1754648671, \"finished_at\": 1754648759}}"
}