Most automated HTML escaping solutions (ours, http://pypi.python.org/pypi/MarkupSafe) rely on wrapping pre-escaped strings in a wrapper class (e.g., HTMLLiteral), then not escaping any strings that are thus wrapped. These run-time type checks are reasonably fast (I measured 4000 of them per millisecond on a webserver), but not ideal.
Whatever we do, we should probably crib the C-based HTML escaping code from MarkupSafe, but we should also determine the "right way" to do HTML escaping.
Most automated HTML escaping solutions (ours, http://pypi.python.org/pypi/MarkupSafe) rely on wrapping pre-escaped strings in a wrapper class (e.g., HTMLLiteral), then not escaping any strings that are thus wrapped. These run-time type checks are reasonably fast (I measured 4000 of them per millisecond on a webserver), but not ideal.
Whatever we do, we should probably crib the C-based HTML escaping code from MarkupSafe, but we should also determine the "right way" to do HTML escaping.