Django escapes these characters : & < > " ', which is sufficient for inserting data in HTML elements. However if you want to set untrusted data in attributes, OWASP recommends escaping a lot more characters:
Except for alphanumeric characters, escape all characters with ASCII values less than 256 with the &#xHH; format (or a named entity if available) to prevent switching out of the attribute.
Reason being, it's very easy to miss a quote on an attribute and unquoted attributes can be broken out of with many characters, including [space] % * + , - / ; < = > ^ and |
Is there a built-in function or a library to achieve this?
P.S. Another blog post worth reading that explains why a broader escape function is needed in some contexts. : http://wonko.com/post/html-escaping
There is no built-in functionality in Django for this. There is neither a library I am aware of.
The built in safe HTML filter escapes both attribute and non-attribute payload, so probably an additional filter function for attributes only would be required.
You can suggest this by opening a feature request against Django in the Django issue tracker.
I am not sure if the existing built-in filter can be changed. I'd assume adding this functionality to Django built-in filters could break out a lot of legacy applications. I am not expert here, so I suggest you take the discussion to the Django authors. The exploiting risk is quite small, weighted against possible headache of breaking existing Django applications, so I am not sure how the behavioral change would be received.
On the other hand, if you need to remember to write a filter for each attribute substituion, you may as well remember to simply close the quotes. I think this technique is more useful in frameworks which do not process templates as plain text.
Meanwhile, you can also try monkey-patching Django filter functions to perform the extra escaping, by writing your own filter replacement.