MarkupSafe escapes characters so text is safe to use in HTML and XML. Characters that have special meanings are replaced so that they display as the actual characters. This mitigates injection attacks, meaning untrusted user input can safely be displayed on a page.

The escape() function escapes text and returns a Markup object. The object won’t be escaped anymore, but any text that is used with it will be, ensuring that the result remains safe to use in HTML.

>>> from markupsafe import escape
>>> hello = escape('<em>Hello</em>')
>>> hello
>>> escape(hello)
>>> hello + ' <strong>World</strong>'
Markup('&lt;em&gt;Hello&lt;/em&gt; &lt;strong&gt;World&lt;/strong&gt;')


The docs assume you’re using Python 3. The terms “text” and “string” refer to the str class. In Python 2, this would be the unicode class instead.


Install and update using pip:

pip install -U MarkupSafe