Edgewall Software

Changes between Version 73 and Version 74 of GenshiTutorial


Ignore:
Timestamp:
Sep 4, 2007, 8:45:19 PM (17 years ago)
Author:
cmlenz
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • GenshiTutorial

    v73 v74  
    13441344=== Allowing Markup in Comments ===
    13451345
    1346 At this point we allow users to post plain text comments, but those comments can't include niceties such as hyperlinks or HTML inline formatting (emphasis, etc). A very naive application would simply accept HTML tags in the input, and pass those tags through to the output. That is generally a bad thing, however, as it opens up your site to cross-site scripting (XSS) attacks, which can undermine any security measures you try put into effect (including SSL). And because this is generally not the behavior you want, Genshi XML-escapes everything by default, which makes it safe to include in (X)HTML output.
     1346At this point we allow users to post plain text comments, but those comments can't include niceties such as hyperlinks or HTML inline formatting (emphasis, etc). A very naive application would simply accept HTML tags in the input, and pass those tags through to the output. That is generally a bad thing, however, as it [http://neomeme.net/2007/05/26/reddit-hacked/ opens up] your site to [http://ha.ckers.org/cross-site-scripting.html cross-site scripting] (XSS) attacks, which can undermine any security measures you try put into effect (including SSL). And because this is generally not the behavior you want, Genshi XML-escapes everything by default, which makes it safe to include in (X)HTML output.
    13471347
    13481348  (''Note that as Geddit allows anyone to do anything, we don't actually have any valuable assets to protect, so this exercise is somewhat theoretical. For the rest of this section, just imagine we required users to register and login to submit links or post comments.'')
     
    13651365The `HTML()` function parses a snippet of HTML and returns a Genshi markup stream. It tries to do this in a way that invalid HTML is corrected (for example by fixing the nesting of tags). We then use that function to render the content of the comment. So what does this do, exactly? Well, the comment text is parsed using an HTML parser, fixed up if necessary (and possible), and injected into the template as a markup stream. A template expression that evaluates to a markup stream is treated differently than other data types: it is injected directly into the template output stream, effectively resulting in tags not getting escaped.
    13661366
    1367  '''TODO: Mention Markup class'''
    1368 
    1369 So at this point our users can include HTML tags in their comments, and it will be rendered as HTML. But as noted above, that approach is very dangerous for most real-world applications, so we've got more work to do:
    1370 we need to sanitize the markup in the comment so that only markup that can be considered safe is let through. Genshi provide a stream filter to help us here: [wiki:Documentation/filters.html#html-sanitizer HTMLSanitizer].
    1371 
    1372 In `geddit/controller.py`, first add the imports for the `HTML` function and  the `HTMLSanitizer` filter, so that the imports at the top of the file look something like this:
     1367 '''Note:''' Genshi also provides the `genshi.core.Markup` class, which is just a special string class that flags its content as safe for being included in HTML/XML output for Genshi. So instead of wrapping the comment text inside a call to the `HTML()` function, you could also use `Markup(comment.content)`, which would avoid the reparsing of the content, but at the cost of that content not being subject to stream filters and different serialization methods.
     1368
     1369So at this point our users can include HTML tags in their comments, and the comments will be rendered as HTML. But as noted above, that approach is very dangerous for most real-world applications, so we've got more work to do: we need to sanitize the markup in the comment so that only markup that can be considered safe is let through. Genshi provides a stream filter to help us here: [wiki:Documentation/filters.html#html-sanitizer HTMLSanitizer].
     1370
     1371To add sanitization, first add the imports for the `HTML` function and  the `HTMLSanitizer` filter to `geddit/controller.py`, so that the imports at the top of that file look something like this:
    13731372
    13741373{{{