Mercurial > genshi > mirror
comparison doc/filters.txt @ 820:9755836bb396 experimental-inline
Sync (old) experimental inline branch with trunk@1027.
| author | cmlenz |
|---|---|
| date | Wed, 11 Mar 2009 17:51:06 +0000 |
| parents | 3eb30e4ece8c |
| children | fe25855324dd |
comparison
equal
deleted
inserted
replaced
| 500:3eb30e4ece8c | 820:9755836bb396 |
|---|---|
| 16 | 16 |
| 17 | 17 |
| 18 HTML Form Filler | 18 HTML Form Filler |
| 19 ================ | 19 ================ |
| 20 | 20 |
| 21 The filter ``genshi.filters.HTMLFormFiller`` can automatically populate an HTML | 21 The filter ``genshi.filters.html.HTMLFormFiller`` can automatically populate an |
| 22 form from values provided as a simple dictionary. When using thi filter, you can | 22 HTML form from values provided as a simple dictionary. When using this filter, |
| 23 basically omit any ``value``, ``selected``, or ``checked`` attributes from form | 23 you can basically omit any ``value``, ``selected``, or ``checked`` attributes |
| 24 controls in your templates, and let the filter do all that work for you. | 24 from form controls in your templates, and let the filter do all that work for |
| 25 you. | |
| 25 | 26 |
| 26 ``HTMLFormFiller`` takes a dictionary of data to populate the form with, where | 27 ``HTMLFormFiller`` takes a dictionary of data to populate the form with, where |
| 27 the keys should match the names of form elements, and the values determine the | 28 the keys should match the names of form elements, and the values determine the |
| 28 values of those controls. For example:: | 29 values of those controls. For example: |
| 30 | |
| 31 .. code-block:: pycon | |
| 29 | 32 |
| 30 >>> from genshi.filters import HTMLFormFiller | 33 >>> from genshi.filters import HTMLFormFiller |
| 31 >>> from genshi.template import MarkupTemplate | 34 >>> from genshi.template import MarkupTemplate |
| 35 | |
| 32 >>> template = MarkupTemplate("""<form> | 36 >>> template = MarkupTemplate("""<form> |
| 33 ... <p> | 37 ... <p> |
| 34 ... <label>User name: | 38 ... <label>User name: |
| 35 ... <input type="text" name="username" /> | 39 ... <input type="text" name="username" /> |
| 36 ... </label><br /> | 40 ... </label><br /> |
| 84 | 88 |
| 85 | 89 |
| 86 HTML Sanitizer | 90 HTML Sanitizer |
| 87 ============== | 91 ============== |
| 88 | 92 |
| 89 The filter ``genshi.filters.HTMLSanitizer`` filter can be used to clean up | 93 The filter ``genshi.filters.html.HTMLSanitizer`` filter can be used to clean up |
| 90 user-submitted HTML markup, removing potentially dangerous constructs that could | 94 user-submitted HTML markup, removing potentially dangerous constructs that could |
| 91 be used for various kinds of abuse, such as cross-site scripting (XSS) attacks:: | 95 be used for various kinds of abuse, such as cross-site scripting (XSS) attacks: |
| 96 | |
| 97 .. code-block:: pycon | |
| 92 | 98 |
| 93 >>> from genshi.filters import HTMLSanitizer | 99 >>> from genshi.filters import HTMLSanitizer |
| 94 >>> from genshi.input import HTML | 100 >>> from genshi.input import HTML |
| 101 | |
| 95 >>> html = HTML("""<div> | 102 >>> html = HTML("""<div> |
| 96 ... <p>Innocent looking text.</p> | 103 ... <p>Innocent looking text.</p> |
| 97 ... <script>alert("Danger: " + document.cookie)</script> | 104 ... <script>alert("Danger: " + document.cookie)</script> |
| 98 ... </div>""") | 105 ... </div>""") |
| 99 >>> sanitize = HTMLSanitizer() | 106 >>> sanitize = HTMLSanitizer() |
| 110 | 117 |
| 111 Inline ``style`` attributes are forbidden by default. If you allow them, the | 118 Inline ``style`` attributes are forbidden by default. If you allow them, the |
| 112 filter will still perform sanitization on the contents any encountered inline | 119 filter will still perform sanitization on the contents any encountered inline |
| 113 styles: the proprietary ``expression()`` function (supported only by Internet | 120 styles: the proprietary ``expression()`` function (supported only by Internet |
| 114 Explorer) is removed, and any property using an ``url()`` which a potentially | 121 Explorer) is removed, and any property using an ``url()`` which a potentially |
| 115 dangerous URL scheme (such as ``javascript:``) are also stripped out:: | 122 dangerous URL scheme (such as ``javascript:``) are also stripped out: |
| 123 | |
| 124 .. code-block:: pycon | |
| 116 | 125 |
| 117 >>> from genshi.filters import HTMLSanitizer | 126 >>> from genshi.filters import HTMLSanitizer |
| 118 >>> from genshi.input import HTML | 127 >>> from genshi.input import HTML |
| 128 | |
| 119 >>> html = HTML("""<div> | 129 >>> html = HTML("""<div> |
| 120 ... <br style="background: url(javascript:alert(document.cookie); color: #000" /> | 130 ... <br style="background: url(javascript:alert(document.cookie); color: #000" /> |
| 121 ... </div>""") | 131 ... </div>""") |
| 122 >>> sanitize = HTMLSanitizer(safe_attrs=HTMLSanitizer.SAFE_ATTRS | set(['style'])) | 132 >>> sanitize = HTMLSanitizer(safe_attrs=HTMLSanitizer.SAFE_ATTRS | set(['style'])) |
| 123 >>> print html | sanitize | 133 >>> print html | sanitize |
| 128 .. warning:: You should probably not rely on the ``style`` filtering, as | 138 .. warning:: You should probably not rely on the ``style`` filtering, as |
| 129 sanitizing mixed HTML, CSS, and Javascript is very complicated and | 139 sanitizing mixed HTML, CSS, and Javascript is very complicated and |
| 130 suspect to various browser bugs. If you can somehow get away with | 140 suspect to various browser bugs. If you can somehow get away with |
| 131 not allowing inline styles in user-submitted content, that would | 141 not allowing inline styles in user-submitted content, that would |
| 132 definitely be the safer route to follow. | 142 definitely be the safer route to follow. |
| 143 | |
| 144 | |
| 145 Transformer | |
| 146 =========== | |
| 147 | |
| 148 The filter ``genshi.filters.transform.Transformer`` provides a convenient way to | |
| 149 transform or otherwise work with markup event streams. It allows you to specify | |
| 150 which parts of the stream you're interested in with XPath expressions, and then | |
| 151 attach a variety of transformations to the parts that match: | |
| 152 | |
| 153 .. code-block:: pycon | |
| 154 | |
| 155 >>> from genshi.builder import tag | |
| 156 >>> from genshi.core import TEXT | |
| 157 >>> from genshi.filters import Transformer | |
| 158 >>> from genshi.input import HTML | |
| 159 | |
| 160 >>> html = HTML('''<html> | |
| 161 ... <head><title>Some Title</title></head> | |
| 162 ... <body> | |
| 163 ... Some <em>body</em> text. | |
| 164 ... </body> | |
| 165 ... </html>''') | |
| 166 | |
| 167 >>> print html | Transformer('body/em').map(unicode.upper, TEXT) \ | |
| 168 ... .unwrap().wrap(tag.u).end() \ | |
| 169 ... .select('body/u') \ | |
| 170 ... .prepend('underlined ') | |
| 171 <html> | |
| 172 <head><title>Some Title</title></head> | |
| 173 <body> | |
| 174 Some <u>underlined BODY</u> text. | |
| 175 </body> | |
| 176 </html> | |
| 177 | |
| 178 This example sets up a transformation that: | |
| 179 | |
| 180 1. matches any `<em>` element anywhere in the body, | |
| 181 2. uppercases any text nodes in the element, | |
| 182 3. strips off the `<em>` start and close tags, | |
| 183 4. wraps the content in a `<u>` tag, and | |
| 184 5. inserts the text `underlined` inside the `<u>` tag. | |
| 185 | |
| 186 A number of commonly useful transformations are available for this filter. | |
| 187 Please consult the API documentation a complete list. | |
| 188 | |
| 189 In addition, you can also perform custom transformations. For example, the | |
| 190 following defines a transformation that changes the name of a tag: | |
| 191 | |
| 192 .. code-block:: pycon | |
| 193 | |
| 194 >>> from genshi import QName | |
| 195 >>> from genshi.filters.transform import ENTER, EXIT | |
| 196 | |
| 197 >>> class RenameTransformation(object): | |
| 198 ... def __init__(self, name): | |
| 199 ... self.name = QName(name) | |
| 200 ... def __call__(self, stream): | |
| 201 ... for mark, (kind, data, pos) in stream: | |
| 202 ... if mark is ENTER: | |
| 203 ... data = self.name, data[1] | |
| 204 ... elif mark is EXIT: | |
| 205 ... data = self.name | |
| 206 ... yield mark, (kind, data, pos) | |
| 207 | |
| 208 A transformation can be any callable object that accepts an augmented event | |
| 209 stream. In this case we define a class, so that we can initialize it with the | |
| 210 tag name. | |
| 211 | |
| 212 Custom transformations can be applied using the `apply()` method of a | |
| 213 transformer instance: | |
| 214 | |
| 215 .. code-block:: pycon | |
| 216 | |
| 217 >>> xform = Transformer('body//em').map(unicode.upper, TEXT) \ | |
| 218 >>> xform = xform.apply(RenameTransformation('u')) | |
| 219 >>> print html | xform | |
| 220 <html> | |
| 221 <head><title>Some Title</title></head> | |
| 222 <body> | |
| 223 Some <u>BODY</u> text. | |
| 224 </body> | |
| 225 </html> | |
| 226 | |
| 227 .. note:: The transformation filter was added in Genshi 0.5. | |
| 228 | |
| 229 | |
| 230 Translator | |
| 231 ========== | |
| 232 | |
| 233 The ``genshi.filters.i18n.Translator`` filter implements basic support for | |
| 234 internationalizing and localizing templates. When used as a filter, it | |
| 235 translates a configurable set of text nodes and attribute values using a | |
| 236 ``gettext``-style translation function. | |
| 237 | |
| 238 The ``Translator`` class also defines the ``extract`` class method, which can | |
| 239 be used to extract localizable messages from a template. | |
| 240 | |
| 241 Please refer to the API documentation for more information on this filter. | |
| 242 | |
| 243 .. note:: The translation filter was added in Genshi 0.4. |