HTML Representations — MarkupSafe documentation
From Get docs
Markupsafe/docs/2.0.x/html
HTML Representations
In many frameworks, if a class implements an __html__
method it will be used to get the object’s representation in HTML. MarkupSafe’s escape() function and Markup class understand and implement this method. If an object has an __html__
method it will be called rather than converting the object to a string, and the result will be assumed safe and not escaped.
For example, an Image
class might automatically generate an <img>
tag:
class Image:
def __init__(self, url):
self.url = url
def __html__(self):
return f'<img src="{self.url}">'
>>> img = Image("/static/logo.png")
>>> Markup(img)
Markup('<img src="/static/logo.png">')
Since this bypasses escaping, you need to be careful about using user-provided data in the output. For example, a user’s display name should still be escaped:
class User:
def __init__(self, id, name):
self.id = id
self.name = name
def __html__(self):
return f'<a href="/user/{self.id}">{escape(self.name)}</a>'
>>> user = User(3, "<script>")
>>> escape(user)
Markup('<a href="/users/3"><script></a>')