python-liquid 2.0.2__py3-none-any.whl → 2.1.0__py3-none-any.whl

liquid/__init__.py

@@ -56,7 +56,7 @@ from .tag import Tag
 
 from . import future
 
-__version__ = "2.0.2"
+__version__ = "2.1.0"
 
 __all__ = (
     "AwareBoundTemplate",

liquid/builtin/__init__.py

@@ -21,6 +21,7 @@ from .filters.array import sort_natural
 from .filters.array import sum_
 from .filters.array import uniq
 from .filters.array import where
+from .filters.extra import escapejs
 from .filters.extra import safe
 from .filters.math import abs_
 from .filters.math import at_least
@@ -197,3 +198,4 @@ def register(env: Environment) -> None:  # noqa: PLR0915
     env.add_filter("date", date)
 
     env.add_filter("safe", safe)
+    env.add_filter("escapejs", escapejs)

liquid/builtin/filters/extra.py

@@ -2,6 +2,7 @@
 
 from __future__ import annotations
 
+import re
 from typing import TYPE_CHECKING
 
 from liquid import Markup
@@ -19,3 +20,64 @@ def safe(val: str, *, environment: Environment) -> str:
     if environment.autoescape:
         return Markup(val)
     return val
+
+
+# `escapejs` is inspired by https://github.com/salesforce/secure-filters and Django's
+# escapejs filter, https://github.com/django/django/blob/485f483d49144a2ea5401442bc3b937a370b3ca6/django/utils/html.py#L63
+
+_ESCAPE_MAP = {
+    "\\": "\\u005C",
+    "'": "\\u0027",
+    '"': "\\u0022",
+    ">": "\\u003E",
+    "<": "\\u003C",
+    "&": "\\u0026",
+    "=": "\\u003D",
+    "-": "\\u002D",
+    ";": "\\u003B",
+    "`": "\\u0060",
+    "\u2028": "\\u2028",
+    "\u2029": "\\u2029",
+}
+
+_ESCAPE_MAP.update({chr(c): f"\\u{c:04X}" for c in range(32)})
+_ESCAPE_RE = re.compile("[" + re.escape("".join(_ESCAPE_MAP.keys())) + "]")
+
+
+@with_environment
+@string_filter
+def escapejs(val: str, *, environment: Environment) -> str:
+    """Escape characters for safe use in JavaScript string literals.
+
+    This filter escapes a string for embedding inside **JavaScript string
+    literals**, using either single or double quotes (e.g. `'...'` or `"..."`).
+    It replaces control characters and potentially dangerous symbols with
+    their corresponding Unicode escape sequences.
+
+    **Important:** This filter does **not** make strings safe for use in
+    JavaScript template literals (backtick strings), or in raw JavaScript
+    expressions. Use it only when placing data inside quoted JS strings
+    within inline `<script>` blocks or event handlers.
+
+    **Recommended alternatives:**
+        - Pass data using HTML `data-*` attributes and read them in JS via
+          `element.dataset`.
+        - For structured data, prefer a JSON-serialization approach using the
+          JSON filter.
+
+    Escaped characters include:
+        - ASCII control characters (U+0000 to U+001F)
+        - Characters like quotes, angle brackets, ampersands, equals signs
+        - Line/paragraph separators (U+2028, U+2029)
+
+    Args:
+        val: The input string to escape.
+        environment: The active Liquid environment
+
+    Returns:
+        A JavaScript-safe string, with problematic characters escaped as Unicode.
+    """
+    escaped = _ESCAPE_RE.sub(lambda m: _ESCAPE_MAP[m.group()], val)
+    if environment.autoescape:
+        return Markup(escaped)
+    return escaped

liquid/builtin/filters/string.py

@@ -56,7 +56,35 @@ def downcase(val: str) -> str:
 @with_environment
 @string_filter
 def escape(val: str, *, environment: Environment) -> str:
-    """Return _val_ with the characters &, < and > converted to HTML-safe sequences."""
+    """Escape special characters in a string for safe use in HTML.
+
+    This filter replaces the characters `&`, `<`, `>`, `'`, and `"` with their
+    corresponding HTML-safe sequences:
+
+        - `&` -> `&amp;`
+        - `<` -> `&lt;`
+        - `>` -> `&gt;`
+        - `'` -> `&#39;`
+        - `"` -> `&#34;`
+
+    This helps prevent HTML injection (XSS) when rendering untrusted content in
+    HTML element bodies or attributes.
+
+    Important: This filter does **not** make strings safe for use in JavaScript,
+    including in `<script>` blocks, inline event handler attributes (e.g. `onerror`),
+    or other JavaScript contexts. For those cases, use the `escapejs` filter instead.
+
+    When `autoescape` is enabled in the environment, this filter uses the same
+    escaping logic as the environment (via `markupsafe.escape()`). Otherwise, it
+    falls back to Python's standard `html.escape()`.
+
+    Args:
+        val: The input string to escape.
+        environment: The current rendering environment.
+
+    Returns:
+        A string with HTML-special characters replaced by safe escape sequences.
+    """
     if environment.autoescape:
         return markupsafe_escape(str(val))
     return html.escape(val)
@@ -65,10 +93,14 @@ def escape(val: str, *, environment: Environment) -> str:
 @with_environment
 @string_filter
 def escape_once(val: str, *, environment: Environment) -> str:
-    """Return _val_ with the characters &, < and > converted to HTML-safe sequences.
+    """Escape a string for HTML, but avoid double-escaping existing entities.
+
+    Converts characters like `&`, `<`, and `>` to their HTML-safe sequences,
+    but leaves existing HTML entities untouched (e.g., `&amp;` stays `&amp;`).
+
+    This is useful when escaping content that may already be partially escaped.
 
-    It is safe to use `escape_one` on string values that already contain HTML escape
-    sequences.
+    See the `escape` filter for details and limitations.
     """
     if environment.autoescape:
         return Markup(val).unescape()

{python_liquid-2.0.2.dist-info → python_liquid-2.1.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: python-liquid
-Version: 2.0.2
+Version: 2.1.0
 Summary: A Python engine for the Liquid template language.
 Project-URL: Change Log, https://github.com/jg-rp/liquid/blob/main/CHANGES.md
 Project-URL: Documentation, https://jg-rp.github.io/liquid/
@@ -105,6 +105,7 @@ $ conda install -c conda-forge python-liquid
 
 - [Python Liquid2](https://github.com/jg-rp/python-liquid2): A new Python engine for Liquid with [extra features](https://jg-rp.github.io/python-liquid2/migration/#new-features).
 - [Ruby Liquid2](https://github.com/jg-rp/ruby-liquid2): Liquid2 templates for Ruby.
+- [Micro Liquid](https://github.com/jg-rp/micro-liquid): A stripped-down Liquid-like template engine for Python. You can think of it as a non-evaluating alternative to Python's [f-strings](https://docs.python.org/3/tutorial/inputoutput.html#formatted-string-literals) or [t-strings](https://docs.python.org/3.14/whatsnew/3.14.html#whatsnew314-pep750).
 - [LiquidScript](https://github.com/jg-rp/liquidscript): A JavaScript engine for Liquid with a similar high-level API to Python Liquid.
 
 ## Quick Start

{python_liquid-2.0.2.dist-info → python_liquid-2.1.0.dist-info}/RECORD

@@ -1,4 +1,4 @@
-liquid/__init__.py,sha256=zUfwx8pnq269-kP7EQShj4j2J8Yi6D04SRDE6hWcsk8,7696
+liquid/__init__.py,sha256=gQBAgPnQURpFuvzPsHbB0XVy2LtBlofIRTVfl4fyvjs,7696
 liquid/analyze_tags.py,sha256=Uc1nueKLRiIejs2JyQIC7u2pxp9l-5HJAMWlg-Qj1m8,7615
 liquid/ast.py,sha256=ec-c8F7B2_yj2FmYiOFnnvu2JSd7c4mzTDGlYeztQ_8,7653
 liquid/context.py,sha256=gSJI1mj7mdcUfiQ09_XCEj5JxAosCGEX85Uuzl9apeI,21505
@@ -22,7 +22,7 @@ liquid/tag.py,sha256=h5jexl6NjUQnM2py4s5db1ksh0s8vi31YHud5kHJt1E,1189
 liquid/template.py,sha256=hLylYHSf9_nkLUymfn8o1hGMrHRhiRfU_QRFMjLPw_A,22376
 liquid/token.py,sha256=gxqMGcGk1fWihz5gQ2BQJzqSEcY7tCAZiIjcdC34P1w,3995
 liquid/undefined.py,sha256=Y57D69YR6yXSHV4x1rg1xtoTe-6M49h-mqlSO7pcRSE,5673
-liquid/builtin/__init__.py,sha256=nOT-bLhh19dktie7SSFOpTaN3mVR-7tDUAJUWGStyJg,6941
+liquid/builtin/__init__.py,sha256=oEzqtKMvqvfoqzcN1Sq_Qbq094hySWNTCnE5Ga-CkcU,7018
 liquid/builtin/content.py,sha256=HXo2ty2cQxsOkXJDhWmcAWC0ny73w9oABaer50zGp70,1122
 liquid/builtin/illegal.py,sha256=RRzzlqo2_scdtbMt_hZq0pr-7khgbxrdub9XH-_goPs,844
 liquid/builtin/output.py,sha256=4r_QJimFTbBdubhdIOG_nweROEOXiWHlp_xNmWXy564,2279
@@ -38,10 +38,10 @@ liquid/builtin/expressions/path.py,sha256=m1J33uIuEFlUaRXR_-G6qcsClOm0B5jbTZ0Pdt
 liquid/builtin/expressions/primitive.py,sha256=Gzaeb-dF84zsMn5ZYhe-FOosnSbkkM2C6JLqjLvK5ns,11352
 liquid/builtin/filters/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 liquid/builtin/filters/array.py,sha256=dMuT15EASXU4ejmNBmawdi92u0f7y_JhqVaGoP48zlg,9843
-liquid/builtin/filters/extra.py,sha256=5YWAz1EoQMbtu7G0yLNtiBVoWUTIehaNuZNIs1VVwN0,550
+liquid/builtin/filters/extra.py,sha256=m13_1nbZyRBl3CZV9WWGLlUZueRPt8cKPEHRAioqM_o,2710
 liquid/builtin/filters/math.py,sha256=A_K2wg5gxm5Ncj9zMGDX_Lt7jjx4bRr3CywbCiCtqxo,3925
 liquid/builtin/filters/misc.py,sha256=t2ZsaDLKRc1-8XxZaiEOh7oAMqFJ4N5-tzfbpLHbmIQ,3466
-liquid/builtin/filters/string.py,sha256=eIzVvC3tltxMf7Mksl3ftoPY_hQ4rDD06CmPD_Y-tQo,10754
+liquid/builtin/filters/string.py,sha256=3Ub1z0VeCeAT07FaDVAazw2J9vFmpqtehtEtujNZxdg,11963
 liquid/builtin/loaders/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 liquid/builtin/loaders/caching_file_system_loader.py,sha256=-9riAxL8933u_w1Ppweia-WkfFlxVU3aCspdiNyD5xQ,1931
 liquid/builtin/loaders/choice_loader.py,sha256=FE23RLMOiWmsRGZv9t6QmlG7bgMEUSblnucAv3j0SBM,2816
@@ -89,7 +89,7 @@ liquid/utils/chain_map.py,sha256=nxkw3wwF6ddlGarIuL7Ii2elm4dU80LySgdQx1oift0,151
 liquid/utils/html.py,sha256=TmqOOpRMsy7fqZLj7X5ybd_XQnWW2YDAVDwTP1Gwf40,1706
 liquid/utils/lru_cache.py,sha256=p7bXOGaUwJpLsREI2lGSzK6lLna5W_k_zNXKWnPJdos,4022
 liquid/utils/text.py,sha256=1SwDECNMaqnnZ05je_AZZgxqzZd6U-mvq5jNU3W1-Qk,841
-python_liquid-2.0.2.dist-info/METADATA,sha256=pRrdM-kcmk3bakF2Ug4yxZ0jwlHhFekdmJ08dFL9nm8,6342
-python_liquid-2.0.2.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-python_liquid-2.0.2.dist-info/licenses/LICENSE,sha256=yAFURzud5ERNHt1rZIPnTLJ92ep7q8y5yG9g5DUMR_E,1075
-python_liquid-2.0.2.dist-info/RECORD,,
+python_liquid-2.1.0.dist-info/METADATA,sha256=hWoZ7ptvnd2teO9UkGuQeDhpYCQxoTbhG42ndbWDwJ0,6694
+python_liquid-2.1.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+python_liquid-2.1.0.dist-info/licenses/LICENSE,sha256=yAFURzud5ERNHt1rZIPnTLJ92ep7q8y5yG9g5DUMR_E,1075
+python_liquid-2.1.0.dist-info/RECORD,,