Use markupsafe for escaping? #107
Description
Because of issue #106 I forked this project and changing it so it uses markupsafe for escaping. This not only allows marking safe text, but it also deals with any object with an __html__ function. This function is used by a some projects out there instead of _repr_html_. markupsafe can also deal with the python2/3 string type shenanigans, so it'll help with issue #63. Although I think IPython will still be needed for the event stuff.
The issue is that I don't think I can make these changes completely backwards incompatible. At this point I think I only have two options, neither of which are backwards compatible.
1. Escape text when rendering (in _repr_html_)
The issue here is that the DOM will have both safe and unsafe text, which is not an issue as long as they stay as python objects. The problem is when they are converted to JSON. The safe marking will be lost, since both string types will be written as is into json.
One way to solve this is by escaping all text in to_dict() and then assume all text handled in from_dict() is already escaped. However the current implementation assumes the text passed to from_dict() is unescaped.
2. Escape text and objects while initializing a VDOM instance
The advantage is that I can then always assume that all text in the DOM is already escaped. It also makes it possible to safely handle objects implementing __html__ (and possibly _repr_html_), since they will be evaluated at that instance instead of at a later moment when the object could have changed.
The issue is again with the dictionary and JSON serialization. The current implementation of from_dict() assumes the text is unescaped.
Plan
I would like to take the second approach. The reason is so it's able to reliably handle any object implementing __html__ and _repr_html_.
Any opinions?