defhtmlFilter(request,d):# note that spoofing __htmlfields doesn't help attacker get unsafe html in;# we always call either clean() or escape().try:# don't use request['__htmlfields'], or you will recurse infinitelytoClean=request._post['__htmlfields'][0].split(',')exceptKeyError:toClean=[]forkeyind:ifkeyintoClean:d[key]=[Html.clean(s)forsind[key]]else:d[key]=[Html.escape(s)forsind[key]]