Edgewall Software

Changes between Version 74 and Version 75 of GenshiTutorial


Ignore:
Timestamp:
Sep 4, 2007, 9:19:37 PM (17 years ago)
Author:
cmlenz
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • GenshiTutorial

    v74 v75  
    14241424This parses the comment text, runs it through the sanitizer, and serializes it to XHTML. And the result of the transformation is what we'll save to our “database”. Why are we using XHTML here, when we actually use HTML almost everywhere else? Well, we want to be able to include the comment text in Atom feeds, too, and for that they'll need to be well-formed XML.
    14251425
     1426You may want to try performing some XSS attacks by including malicious HTML markup in comments. Try some of the methods shown on the [http://ha.ckers.org/xss.html XSS Cheat Sheet]. You should not be able to get past the sanitizer; if you are, please [/newticket let us now].
     1427
     1428Speaking of the Atom feed, let's update the corresponding template so that it, too, includes the user-submitted HTML tags as markup, instead of as escaped text. Open `geddit/templates/info.xml`, and update it to look as follows:
     1429
     1430{{{
     1431#!genshi
     1432<?xml version="1.0" encoding="utf-8"?>
     1433<feed xmlns="http://www.w3.org/2005/Atom"
     1434      xmlns:py="http://genshi.edgewall.org/">
     1435
     1436  <title>Geddit: ${link.title}</title>
     1437  <id href="${url('/info/%s/' % link.id)}"/>
     1438  <link rel="alternate" href="${url('/info/%s/' % link.id)}" type="text/html"/>
     1439  <link rel="self" href="${url('/feed/%s/' % link.id)}" type="application/atom+xml"/>
     1440  <updated py:with="time=link.comments and link.comments[-1].time or link.time">
     1441    ${time.isoformat()}
     1442  </updated>
     1443
     1444  <?python from genshi import HTML ?>
     1445  <entry py:for="idx, comment in enumerate(reversed(link.comments))">
     1446    <title>Comment ${len(link.comments) - idx} on “${link.title}”</title>
     1447    <link rel="alternate" href="${url('/info/%s/' % link.id)}#comment${idx}"
     1448          type="text/html"/>
     1449    <id>${url('/info/%s/' % link.id)}#comment${idx}</id>
     1450    <author>
     1451      <name>${comment.username}</name>
     1452    </author>
     1453    <updated>${comment.time.isoformat()}</updated>
     1454    <content type="xhtml"><div xmlns="http://www.w3.org/1999/xhtml">
     1455      ${HTML(comment.content)}
     1456    </div></content>
     1457  </entry>
     1458
     1459</feed>
     1460}}}
     1461
     1462As above, we've added the import of the Genshi `HTML()` function. On the `<content>` element we've added the `type="xhtml"` attribute, and we've added a wrapper `<div>` inside it to declare the XHTML namespace. Finally, inside that `<div>`, we inject the comment text as an HTML-parsed stream, analogous to what we've done in the HTML template.
    14261463
    14271464