t-strings
diff --git a/‎README.md‎
Lines changed: 0 additions & 13 deletions b/‎README.md‎
Lines changed: 0 additions & 13 deletions
diff --git a/‎tdom/escaping.py‎
Lines changed: 112 additions & 0 deletions b/‎tdom/escaping.py‎
Lines changed: 112 additions & 0 deletions
diff --git a/‎tdom/nodes.py‎
Lines changed: 32 additions & 5 deletions b/‎tdom/nodes.py‎
Lines changed: 32 additions & 5 deletions
@@ -385,19 +385,6 @@ result = html(t"<ul><{Items} /></ul>")
 assert str(result) == "<ul><li>first</li><li>second</li></ul>"
 ```
 
-If you prefer, you can use **explicit fragment syntax** to wrap multiple
-elements in a `Fragment`:
-
-```python
-def Items() -> Node:
-    return html(t'<><li>first</li><li>second</li></>')
-
-result = html(t'<ul><{Items} /></ul>')
-assert str(result) == "<ul><li>first</li><li>second</li></ul>"
-```
-
-This is not required, but it can make your intent clearer.
-
 #### Class-based components
 
 Component functions are great for simple use cases, but for more complex
 
@@ -0,0 +1,112 @@
+import re
+from string.templatelib import Interpolation, Template
+
+from markupsafe import Markup
+from markupsafe import escape as markup_escape
+
+from .utils import format_interpolation as base_format_interpolation
+
+
+def _format_safe(value: object, format_spec: str) -> str:
+    """Use Markup() to mark a value as safe HTML."""
+    assert format_spec == "safe"
+    return Markup(value)
+
+
+def _format_unsafe(value: object, format_spec: str) -> str:
+    """Convert a value to a plain string, forcing it to be treated as unsafe."""
+    assert format_spec == "unsafe"
+    return str(value)
+
+
+CUSTOM_FORMATTERS = (("safe", _format_safe), ("unsafe", _format_unsafe))
+
+
+def format_interpolation(interpolation: Interpolation) -> object:
+    return base_format_interpolation(
+        interpolation,
+        formatters=CUSTOM_FORMATTERS,
+    )
+
+
+def render_template_as_f(template: Template) -> str:
+    """Fully render a template by formatting its interpolations."""
+    parts: list[str] = []
+    for part in template:
+        if isinstance(part, str):
+            parts.append(part)
+        else:
+            parts.append(str(format_interpolation(part)))
+    return "".join(parts)
+
+
+escape_html_text = markup_escape  # unify api for test of project
+
+
+def escape_html_comment(text):
+    """Escape text injected into an HTML comment."""
+    GT = "&gt;"
+    LT = "&lt;"
+
+    if not text:
+        return text
+    # - text must not start with the string ">"
+    if text[0] == ">":
+        text = GT + text[1:]
+
+    # - nor start with the string "->"
+    if text[:2] == "->":
+        text = "-" + GT + text[2:]
+
+    # - nor contain the strings "<!--", "-->", or "--!>"
+    if (index := text.find("<!--")) and index != -1:
+        text = text[:index] + LT + text[index + 1]
+    if (index := text.find("-->")) and index != -1:
+        text = text[: index + 2] + GT + text[index + 3]
+    if (index := text.find("--!>")) and index != -1:
+        text = text[: index + 3] + GT + text[index + 4]
+
+    # - nor end with the string "<!-".
+    if text[-3:] == "<!-":
+        text = text[:-3] + LT + "!-"
+
+    return text
+
+
+def escape_html_style(text):
+    # @TODO: We should maybe make this opt-in or throw a warning that says to
+    # avoid dropping content in STYLEs.
+    LT = "&lt;"
+    close_str = "</style>"
+    close_str_re = re.compile(close_str, re.I | re.A)
+    replace_str = LT + close_str[1:]
+    return re.sub(close_str_re, replace_str, text)
+
+
+def escape_html_script(text):
+    """
+    https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements
+
+    (from link) The easiest and safest way to avoid the rather strange restrictions
+    described in this section is to always escape an ASCII case-insensitive
+    match for:
+    - "<!--" as "\x3c!--"
+    - "<script" as "\x3cscript"
+    - "</script" as "\x3c/script"`
+
+    This does not make your script *run*; it just tries to prevent accidentally injecting
+    *another* SCRIPT tag into a SCRIPT tag being rendered.
+    """
+    # @TODO: We should maybe make this opt-in or throw a warning that says to
+    # avoid dropping content in SCRIPTs in almost all cases and use
+    # data-* attributes to dump JSON if needed.  Or whatever the latest
+    # best-practices version is because this seems like a "we think we got all the cases"
+    # situation even in the living standard.
+    match_to_replace = (
+        (re.compile("<!--", re.I | re.A), "\x3c!--"),
+        (re.compile("<script", re.I | re.A), "\x3cscript"),
+        (re.compile("</script", re.I | re.A), "\x3c/script"),
+    )
+    for match_re, replace_text in match_to_replace:
+        text = re.sub(match_re, replace_text, text)
+    return text
@@ -1,6 +1,11 @@
 from dataclasses import dataclass, field
 
-from markupsafe import escape
+from .escaping import (
+    escape_html_comment,
+    escape_html_script,
+    escape_html_style,
+    escape_html_text,
+)
 
 # See https://developer.mozilla.org/en-US/docs/Glossary/Void_element
 VOID_ELEMENTS = frozenset(
@@ -45,7 +50,7 @@ class Text(Node):
 
     def __str__(self) -> str:
         # Use markupsafe's escape to handle HTML escaping
-        return escape(self.text)
+        return escape_html_text(self.text)
 
     def __eq__(self, other: object) -> bool:
         # This is primarily of use for testing purposes. We only consider
@@ -66,7 +71,7 @@ class Comment(Node):
     text: str
 
     def __str__(self) -> str:
-        return f"<!--{self.text}-->"
+        return f"<!--{escape_html_comment(self.text)}-->"
 
 
 @dataclass(slots=True)
@@ -100,16 +105,38 @@ def is_void(self) -> bool:
     def is_content(self) -> bool:
         return self.tag in CONTENT_ELEMENTS
 
+    def _children_to_str(self):
+        if not self.children:
+            return ""
+        if self.tag in ("script", "style"):
+            chunks = []
+            for child in self.children:
+                if isinstance(child, Text):
+                    chunks.append(child.text)
+                else:
+                    raise ValueError(
+                        "Cannot serialize non-text content inside a script tag."
+                    )
+            raw_children_str = "".join(chunks)
+            if self.tag == "script":
+                return escape_html_script(raw_children_str)
+            elif self.tag == "style":
+                return escape_html_style(raw_children_str)
+            else:
+                raise ValueError("Unsupported tag for single-level bulk escaping.")
+        else:
+            return "".join(str(child) for child in self.children)
+
     def __str__(self) -> str:
         # We use markupsafe's escape to handle HTML escaping of attribute values
         # which means it's possible to mark them as safe if needed.
         attrs_str = "".join(
-            f" {key}" if value is None else f' {key}="{escape(value)}"'
+            f" {key}" if value is None else f' {key}="{escape_html_text(value)}"'
             for key, value in self.attrs.items()
         )
         if self.is_void:
             return f"<{self.tag}{attrs_str} />"
         if not self.children:
             return f"<{self.tag}{attrs_str}></{self.tag}>"
-        children_str = "".join(str(child) for child in self.children)
+        children_str = self._children_to_str()
         return f"<{self.tag}{attrs_str}>{children_str}</{self.tag}>"