Merge pull request #610 from peppelinux/deprecation_warnings

Use html.escape when available

Author: c00kiemon5ter

src/saml2/pack.py

@@ -8,7 +8,11 @@
 """
 
 import base64
-import cgi
+try:
+    import html
+except:
+    import cgi as html
+
 import logging
 
 import saml2
@@ -64,6 +68,10 @@
 </html>"""
 
 
+def _html_escape(payload):
+    return html.escape(payload, quote=True)
+
+
 def http_form_post_message(message, location, relay_state="",
                            typ="SAMLRequest", **kwargs):
     """The HTTP POST binding defines a mechanism by which SAML protocol
@@ -87,15 +95,15 @@ def http_form_post_message(message, location, relay_state="",
     _msg = _msg.decode('ascii')
 
     saml_response_input = HTML_INPUT_ELEMENT_SPEC.format(
-            name=cgi.escape(typ),
-            val=cgi.escape(_msg),
+            name=_html_escape(typ),
+            val=_html_escape(_msg),
             type='hidden')
 
     relay_state_input = ""
     if relay_state:
         relay_state_input = HTML_INPUT_ELEMENT_SPEC.format(
                 name='RelayState',
-                val=cgi.escape(relay_state),
+                val=_html_escape(relay_state),
                 type='hidden')
 
     response = HTML_FORM_SPEC.format(