Edgewall Software

Changes between Version 76 and Version 77 of GenshiTutorial


Ignore:
Timestamp:
Sep 4, 2007, 9:52:20 PM (17 years ago)
Author:
cmlenz
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • GenshiTutorial

    v76 v77  
    14221422}}}
    14231423
    1424 This parses the comment text, runs it through the sanitizer, and serializes it to XHTML. And the result of the transformation is what we'll save to our “database”. Why are we using XHTML here, when we actually use HTML almost everywhere else? Well, we want to be able to include the comment text in Atom feeds, too, and for that they'll need to be well-formed XML.
    1425 
    1426  '''Note:''' this is just one way to add sanitization. Another equally valid approach would be to store comment submissions exactly how they were entered, and sanitize them when they are displayed. Or you could have two fields in the model: one to store the text as originally submitted, and the other to store the sanitized content ready for display. Which method you choose depends on the needs of your particular application. Or, if you were really paranoid, you'd sanitize both the input and the output.
     1424This parses the comment text, runs it through the sanitizer, and serializes it to XHTML. And the result of the transformation is what we'll save to our “database”. We use XHTML here just because that can be processed by a wider variety of tools. For the purposes of this tutorial we could just as well be storing the content using HTML serialization, because Genshi can handle both.
     1425
     1426 '''Note:''' this is just one way to add sanitization. Another equally valid approach would be to store comment submissions exactly how they were entered, and sanitize them when they are displayed. Or you could have two fields in the model: one to store the text as originally submitted, and the other to store the sanitized content ready for display. Or, if you were really paranoid, you'd sanitize both the input and the output. Which method you choose depends on the needs of your particular application.
    14271427
    14281428You may want to try performing some XSS attacks by including malicious HTML markup in comments. Try some of the methods shown on the [http://ha.ckers.org/xss.html XSS Cheat Sheet]. You should not be able to get past the sanitizer; if you are, please [/newticket let us now].
     
    14621462}}}
    14631463
    1464 As above, we've added the import of the Genshi `HTML()` function. On the `<content>` element we've added the `type="xhtml"` attribute, and we've added a wrapper `<div>` inside it to declare the XHTML namespace. Finally, inside that `<div>`, we inject the comment text as an HTML-parsed stream, analogous to what we've done in the HTML template.
     1464Just like above, we've added the import of the Genshi `HTML()` function. On the `<content>` element we've added the `type="xhtml"` attribute, and we've added a wrapper `<div>` inside that element to declare the XHTML namespace. Finally, inside that `<div>`, we inject the comment text as an HTML-parsed stream, analogous to what we've done in the HTML template.
    14651465
    14661466