Escape single and double quotes, always

Signed-off-by: Ivan Kanakarakis <[email protected]>

Author: c00kiemon5ter

src/saml2/pack.py

@@ -68,6 +68,10 @@
 </html>"""
 
 
+def _html_escape(payload):
+    return html.escape(payload, quote=True)
+
+
 def http_form_post_message(message, location, relay_state="",
                            typ="SAMLRequest", **kwargs):
     """The HTTP POST binding defines a mechanism by which SAML protocol
@@ -91,15 +95,15 @@ def http_form_post_message(message, location, relay_state="",
     _msg = _msg.decode('ascii')
 
     saml_response_input = HTML_INPUT_ELEMENT_SPEC.format(
-            name=html.escape(typ),
-            val=html.escape(_msg),
+            name=_html_escape(typ),
+            val=_html_escape(_msg),
             type='hidden')
 
     relay_state_input = ""
     if relay_state:
         relay_state_input = HTML_INPUT_ELEMENT_SPEC.format(
                 name='RelayState',
-                val=html.escape(relay_state),
+                val=_html_escape(relay_state),
                 type='hidden')
 
     response = HTML_FORM_SPEC.format(