"escaping" variable before passing it to template in Django

I need to pass HTML code to messages and am doing so using templates.

In order to get the HTML to work, I mark the message as safe in my template:

{{ message|safe }}

However, this leaves me open to attack as I'm displaying user generated content in the message. For example:

messag开发者_开发问答es.success(request, "Awesome! \"%s\" is now active." % user_toy)

If user_toy is generated by the user, HTML will go unescaped. How do I fix this?

---

I was able to fix this using escape from django.utils.html:

from django.utils.html import escape

messages.success(request, "Awesome! \"%s\" is now active." % escape(user_toy))