display() should escape by default (#915)

- display(some_str) escapes the string by default. This is almost always what you want - display(some_obj) calls repr(obj) and escapes the result. Again, it's a very sensible default - if you want to inject some raw HTML in the output, you can use the new HTML class: display(HTML("<p>hello</p>")).
2025-12-19 18:27:29 -05:00 · 2022-11-03 09:20:10 +01:00
parent 5b671dd1d0
commit 66119157a7
4 changed files with 63 additions and 23 deletions
--- a/pyscriptjs/src/python/pyscript.py
+++ b/pyscriptjs/src/python/pyscript.py
@@ -1,5 +1,6 @@
 import asyncio
 import base64
+import html
 import io
 import time
 from textwrap import dedent
@@ -35,7 +36,7 @@ def identity(value, meta):


 MIME_RENDERERS = {
-    "text/plain": identity,
+    "text/plain": html.escape,
    "text/html": identity,
    "image/png": lambda value, meta: render_image("image/png", value, meta),
    "image/jpeg": lambda value, meta: render_image("image/jpeg", value, meta),
@@ -45,6 +46,18 @@ MIME_RENDERERS = {
 }


+class HTML:
+    """
+    Wrap a string so that display() can render it as plain HTML
+    """
+
+    def __init__(self, html):
+        self._html = html
+
+    def _repr_html_(self):
+        return self._html
+
+
 def eval_formatter(obj, print_method):
    """
    Evaluates a formatter method.
@@ -68,7 +81,7 @@ def format_mime(obj):
    Formats object using _repr_x_ methods.
    """
    if isinstance(obj, str):
-        return obj, "text/plain"
+        return html.escape(obj), "text/plain"

    mimebundle = eval_formatter(obj, "_repr_mimebundle_")
    if isinstance(mimebundle, tuple):