Changes between Version 81 and Version 82 of GenshiTutorial
- Timestamp:
- Sep 5, 2007, 4:00:14 PM (17 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
GenshiTutorial
v81 v82 1366 1366 The `HTML()` function parses a snippet of HTML and returns a Genshi markup stream. It tries to do this in a way that invalid HTML is corrected (for example by fixing the nesting of tags). We then use that function to render the content of the comment. So what does this do, exactly? Well, the comment text is parsed using an HTML parser, fixed up if necessary (and possible), and injected into the template as a markup stream. A template expression that evaluates to a markup stream is treated differently than other data types: it is injected directly into the template output stream, effectively resulting in tags not getting escaped. 1367 1367 1368 '''Note:''' Genshi also provides the `genshi.core.Markup` class, which is just a special string class that flags its content as safe for being included in HTML/XML output for Genshi. So instead of wrapping the comment text inside a call to the `HTML()` function, you could also use `Markup(comment.content)` , which would avoid the reparsing of the content, but at the cost of that content not being subject to stream filters and different serialization methods.1368 '''Note:''' Genshi also provides the `genshi.core.Markup` class, which is just a special string class that flags its content as safe for being included in HTML/XML output for Genshi. So instead of wrapping the comment text inside a call to the `HTML()` function, you could also use `Markup(comment.content)`. That would avoid the reparsing of the content, but at the cost of that content not being subject to stream filters and different serialization methods. In a nutshell, using `Markup` is not recommended unless you really know what you're doing. 1369 1369 1370 1370 So at this point our users can include HTML tags in their comments, and the comments will be rendered as HTML. But as noted above, that approach is very dangerous for most real-world applications, so we've got more work to do: we need to sanitize the markup in the comment so that only markup that can be considered safe is let through. Genshi provides a stream filter to help us here: [wiki:Documentation/filters.html#html-sanitizer HTMLSanitizer]. … … 1466 1466 1467 1467 1468 === Protecting against Cross-Site Request Forgery ===1469 1470 '''TODO''':1471 * Use Transformer filter to inject form token1472 * Check token against cookie before accepting POST requests1473 1474 1475 1476 1468 == Summary == 1477 1469