Fix quote escaping in read html attributes.

* Wrap HTML attributes in quotes according to their content.  If it contains a double quote use single quotes, otherwise escape with double quotes.
* Add escape_html utility to ensure quote entities are converted identically across Python versions.

Fixes #1260

pelican/utils.py

@@ -28,6 +28,11 @@ import six
 from six.moves import html_entities
 from six.moves.html_parser import HTMLParser
 
+try:
+    from html import escape
+except ImportError:
+    from cgi import escape
+
 logger = logging.getLogger(__name__)
 
 
@@ -548,6 +553,14 @@ def truncate_html_words(s, num, end_text='...'):
     return out
 
 
+def escape_html(text, quote=True):
+    """Escape '&', '<' and '>' to HTML-safe sequences.
+
+    In Python 2 this uses cgi.escape and in Python 3 this uses html.escape. We
+    wrap here to ensure the quote argument has an identical default."""
+    return escape(text, quote=quote)
+
+
 def process_translations(content_list, order_by=None):
     """ Finds translation and returns them.