Edgewall Software

Changes between Version 81 and Version 82 of GenshiTutorial


Ignore:
Timestamp:
Sep 5, 2007, 4:00:14 PM (13 years ago)
Author:
cmlenz
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • GenshiTutorial

    v81 v82  
    13661366The `HTML()` function parses a snippet of HTML and returns a Genshi markup stream. It tries to do this in a way that invalid HTML is corrected (for example by fixing the nesting of tags). We then use that function to render the content of the comment. So what does this do, exactly? Well, the comment text is parsed using an HTML parser, fixed up if necessary (and possible), and injected into the template as a markup stream. A template expression that evaluates to a markup stream is treated differently than other data types: it is injected directly into the template output stream, effectively resulting in tags not getting escaped.
    13671367
    1368  '''Note:''' Genshi also provides the `genshi.core.Markup` class, which is just a special string class that flags its content as safe for being included in HTML/XML output for Genshi. So instead of wrapping the comment text inside a call to the `HTML()` function, you could also use `Markup(comment.content)`, which would avoid the reparsing of the content, but at the cost of that content not being subject to stream filters and different serialization methods.
     1368 '''Note:''' Genshi also provides the `genshi.core.Markup` class, which is just a special string class that flags its content as safe for being included in HTML/XML output for Genshi. So instead of wrapping the comment text inside a call to the `HTML()` function, you could also use `Markup(comment.content)`. That would avoid the reparsing of the content, but at the cost of that content not being subject to stream filters and different serialization methods. In a nutshell, using `Markup` is not recommended unless you really know what you're doing.
    13691369
    13701370So at this point our users can include HTML tags in their comments, and the comments will be rendered as HTML. But as noted above, that approach is very dangerous for most real-world applications, so we've got more work to do: we need to sanitize the markup in the comment so that only markup that can be considered safe is let through. Genshi provides a stream filter to help us here: [wiki:Documentation/filters.html#html-sanitizer HTMLSanitizer].
     
    14661466
    14671467
    1468 === Protecting against Cross-Site Request Forgery ===
    1469 
    1470 '''TODO''':
    1471  * Use Transformer filter to inject form token
    1472  * Check token against cookie before accepting POST requests
    1473 
    1474 
    1475 
    14761468== Summary ==
    14771469