cms_form: marshaller escape test + use html.escape

werkzeug.utils.escape will be deprecated.

See pallets/werkzeug@5fd1386

cms_form/marshallers.py

@@ -1,7 +1,7 @@
 # Copyright 2018 Simone Orsi
 # License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html).
 
-import werkzeug.utils
+import html
 
 
 def marshal_request_values(values):
@@ -48,7 +48,7 @@ def marshal_request_values(values):
 def marshal_esc(values, orig_key, orig_value):
     """Transform `foo:esc` inputs to escaped value."""
     k = orig_key[: -len(":esc")]
-    v = werkzeug.utils.escape(orig_value)
+    v = html.escape(orig_value)
     return k, v
 
 

cms_form/tests/test_marshallers.py

@@ -69,3 +69,14 @@ def test_marshal_dict(self):
         self.assertEqual(marshalled["a"], "1")
         self.assertDictEqual(marshalled["b"], {"x": "1", "y": "2", "z": "3"})
         self.assertEqual(marshalled["c"], "3")
+
+    def test_marshal_esc(self):
+        data = MultiDict(
+            [
+                ("a:esc", "<span>I'm bad</span>"),
+                ("b", "<span>I'm bad but I don't care</span>"),
+            ]
+        )
+        marshalled = marshallers.marshal_request_values(data)
+        self.assertEqual(marshalled["a"], "&lt;span&gt;I&#x27;m bad&lt;/span&gt;")
+        self.assertEqual(marshalled["b"], "<span>I'm bad but I don't care</span>")