47 | | |
48 | | === What other features does the toolkit provide? === |
49 | | |
50 | | Beyond the XML-based template engine, Genshi provides: |
51 | | * a [wiki:Documentation/streams.html unified stream-based processing model] for markup, where |
52 | | * streams can come from XML or HTML text, or be [wiki:Documentation/builder.html generated programmatically] using a very simple syntax. |
53 | | * [wiki:Documentation/xpath.html XPath] can be used to query any stream, not just in templates. |
54 | | * Different serialization methods (XML, HTML, and plain text) for streams. |
55 | | * An HTML “sanitizing” filter to strip potentially dangerous elements or attributes from user-submitted HTML markup. |
56 | | * A simple text-based template engine that can be used for generating plain text output. |
57 | | |
58 | | === Why use includes instead of inheritance? === |
59 | | |
60 | | We think that includes are both simpler and more natural for templating. |
61 | | |
62 | | Template inheritance is a concept that fits well with template languages where a master template provide “slots” that are “filled” by the inheriting templates. However, Genshi has no such feature, and instead uses the more powerful and flexible concept of [wiki:Documentation/xml-templates.html match templates]. |
63 | | |
64 | | Furthermore, [http://www.w3.org/TR/xinclude/ XInclude] is a [http://www.w3.org/ W3C] standard, which means that it is more likely to be supported in authoring tools than some esoteric custom notation for including external resources. |
65 | | |
66 | | ''See also GenshiRecipes/PyExtendsEquivalent and GenshiRecipes/PyLayoutEquivalent to find out how the Kid directives `py:extends` and `py:layout` map to includes in Genshi.'' |
67 | | |
68 | | [[Image(http://www.edgewall.org/gfx/opensource-75x65.png, width=75, height=65, align=right)]] |
| 80 | |
| 81 | |
| 82 | == Features and Design == |
| 83 | |
| 84 | === What other features does the toolkit provide? === |
| 85 | |
| 86 | Beyond the XML-based template engine, Genshi provides: |
| 87 | * a [wiki:Documentation/streams.html unified stream-based processing model] for markup, where |
| 88 | * streams can come from XML or HTML text, or be [wiki:Documentation/builder.html generated programmatically] using a very simple syntax. |
| 89 | * [wiki:Documentation/xpath.html XPath] can be used to query any stream, not just in templates. |
| 90 | * Different serialization methods (XML, HTML, and plain text) for streams. |
| 91 | * An HTML “sanitizing” filter to strip potentially dangerous elements or attributes from user-submitted HTML markup. |
| 92 | * A simple text-based template engine that can be used for generating plain text output. |
| 93 | |
| 94 | === Why use includes instead of inheritance? === |
| 95 | |
| 96 | We think that includes are both simpler and more natural for templating. |
| 97 | |
| 98 | Template inheritance is a concept that fits well with template languages where a master template provide “slots” that are “filled” by the inheriting templates. However, Genshi has no such feature, and instead uses the more powerful and flexible concept of [wiki:Documentation/xml-templates.html match templates]. |
| 99 | |
| 100 | Furthermore, [http://www.w3.org/TR/xinclude/ XInclude] is a [http://www.w3.org/ W3C] standard, which means that it is more likely to be supported in authoring tools than some esoteric custom notation for including external resources. |
| 101 | |
| 102 | ''See also GenshiRecipes/PyExtendsEquivalent and GenshiRecipes/PyLayoutEquivalent to find out how the Kid directives `py:extends` and `py:layout` map to includes in Genshi.'' |
| 103 | |
| 104 | [[Image(http://www.edgewall.org/gfx/opensource-75x65.png, width=75, height=65, align=right)]] |
| 105 | |
| 106 | === Is Genshi “sandboxable”? === |
| 107 | |
| 108 | Or: ''“can I use Genshi to allow untrusted users to create and modify templates?”'' |
| 109 | |
| 110 | '''No'''. Genshi allows embedding Python expressions in templates. That code runs with the permissions of the process running your web application. Malicious or misguided users can quite easily construct expressions that result in exposing sensitive information or even destroying data on your server. |
| 111 | |
| 112 | Unfortunately, Python does not yet provide a mode for [http://wiki.python.org/moin/SandboxedPython restricted execution]. Sandboxing Genshi will probably be possible as soon as that changes, but not before. Apparently [http://svn.python.org/view/python/branches/bcannon-objcap/securing_python.txt some progress] is being made, but we'll have to see how that develops. |
| 113 | |