Mercurial > genshi > mirror
comparison doc/filters.txt @ 820:9755836bb396 experimental-inline
Sync (old) experimental inline branch with trunk@1027.
author | cmlenz |
---|---|
date | Wed, 11 Mar 2009 17:51:06 +0000 |
parents | 3eb30e4ece8c |
children | fe25855324dd |
comparison
equal
deleted
inserted
replaced
500:3eb30e4ece8c | 820:9755836bb396 |
---|---|
16 | 16 |
17 | 17 |
18 HTML Form Filler | 18 HTML Form Filler |
19 ================ | 19 ================ |
20 | 20 |
21 The filter ``genshi.filters.HTMLFormFiller`` can automatically populate an HTML | 21 The filter ``genshi.filters.html.HTMLFormFiller`` can automatically populate an |
22 form from values provided as a simple dictionary. When using thi filter, you can | 22 HTML form from values provided as a simple dictionary. When using this filter, |
23 basically omit any ``value``, ``selected``, or ``checked`` attributes from form | 23 you can basically omit any ``value``, ``selected``, or ``checked`` attributes |
24 controls in your templates, and let the filter do all that work for you. | 24 from form controls in your templates, and let the filter do all that work for |
25 you. | |
25 | 26 |
26 ``HTMLFormFiller`` takes a dictionary of data to populate the form with, where | 27 ``HTMLFormFiller`` takes a dictionary of data to populate the form with, where |
27 the keys should match the names of form elements, and the values determine the | 28 the keys should match the names of form elements, and the values determine the |
28 values of those controls. For example:: | 29 values of those controls. For example: |
30 | |
31 .. code-block:: pycon | |
29 | 32 |
30 >>> from genshi.filters import HTMLFormFiller | 33 >>> from genshi.filters import HTMLFormFiller |
31 >>> from genshi.template import MarkupTemplate | 34 >>> from genshi.template import MarkupTemplate |
35 | |
32 >>> template = MarkupTemplate("""<form> | 36 >>> template = MarkupTemplate("""<form> |
33 ... <p> | 37 ... <p> |
34 ... <label>User name: | 38 ... <label>User name: |
35 ... <input type="text" name="username" /> | 39 ... <input type="text" name="username" /> |
36 ... </label><br /> | 40 ... </label><br /> |
84 | 88 |
85 | 89 |
86 HTML Sanitizer | 90 HTML Sanitizer |
87 ============== | 91 ============== |
88 | 92 |
89 The filter ``genshi.filters.HTMLSanitizer`` filter can be used to clean up | 93 The filter ``genshi.filters.html.HTMLSanitizer`` filter can be used to clean up |
90 user-submitted HTML markup, removing potentially dangerous constructs that could | 94 user-submitted HTML markup, removing potentially dangerous constructs that could |
91 be used for various kinds of abuse, such as cross-site scripting (XSS) attacks:: | 95 be used for various kinds of abuse, such as cross-site scripting (XSS) attacks: |
96 | |
97 .. code-block:: pycon | |
92 | 98 |
93 >>> from genshi.filters import HTMLSanitizer | 99 >>> from genshi.filters import HTMLSanitizer |
94 >>> from genshi.input import HTML | 100 >>> from genshi.input import HTML |
101 | |
95 >>> html = HTML("""<div> | 102 >>> html = HTML("""<div> |
96 ... <p>Innocent looking text.</p> | 103 ... <p>Innocent looking text.</p> |
97 ... <script>alert("Danger: " + document.cookie)</script> | 104 ... <script>alert("Danger: " + document.cookie)</script> |
98 ... </div>""") | 105 ... </div>""") |
99 >>> sanitize = HTMLSanitizer() | 106 >>> sanitize = HTMLSanitizer() |
110 | 117 |
111 Inline ``style`` attributes are forbidden by default. If you allow them, the | 118 Inline ``style`` attributes are forbidden by default. If you allow them, the |
112 filter will still perform sanitization on the contents any encountered inline | 119 filter will still perform sanitization on the contents any encountered inline |
113 styles: the proprietary ``expression()`` function (supported only by Internet | 120 styles: the proprietary ``expression()`` function (supported only by Internet |
114 Explorer) is removed, and any property using an ``url()`` which a potentially | 121 Explorer) is removed, and any property using an ``url()`` which a potentially |
115 dangerous URL scheme (such as ``javascript:``) are also stripped out:: | 122 dangerous URL scheme (such as ``javascript:``) are also stripped out: |
123 | |
124 .. code-block:: pycon | |
116 | 125 |
117 >>> from genshi.filters import HTMLSanitizer | 126 >>> from genshi.filters import HTMLSanitizer |
118 >>> from genshi.input import HTML | 127 >>> from genshi.input import HTML |
128 | |
119 >>> html = HTML("""<div> | 129 >>> html = HTML("""<div> |
120 ... <br style="background: url(javascript:alert(document.cookie); color: #000" /> | 130 ... <br style="background: url(javascript:alert(document.cookie); color: #000" /> |
121 ... </div>""") | 131 ... </div>""") |
122 >>> sanitize = HTMLSanitizer(safe_attrs=HTMLSanitizer.SAFE_ATTRS | set(['style'])) | 132 >>> sanitize = HTMLSanitizer(safe_attrs=HTMLSanitizer.SAFE_ATTRS | set(['style'])) |
123 >>> print html | sanitize | 133 >>> print html | sanitize |
128 .. warning:: You should probably not rely on the ``style`` filtering, as | 138 .. warning:: You should probably not rely on the ``style`` filtering, as |
129 sanitizing mixed HTML, CSS, and Javascript is very complicated and | 139 sanitizing mixed HTML, CSS, and Javascript is very complicated and |
130 suspect to various browser bugs. If you can somehow get away with | 140 suspect to various browser bugs. If you can somehow get away with |
131 not allowing inline styles in user-submitted content, that would | 141 not allowing inline styles in user-submitted content, that would |
132 definitely be the safer route to follow. | 142 definitely be the safer route to follow. |
143 | |
144 | |
145 Transformer | |
146 =========== | |
147 | |
148 The filter ``genshi.filters.transform.Transformer`` provides a convenient way to | |
149 transform or otherwise work with markup event streams. It allows you to specify | |
150 which parts of the stream you're interested in with XPath expressions, and then | |
151 attach a variety of transformations to the parts that match: | |
152 | |
153 .. code-block:: pycon | |
154 | |
155 >>> from genshi.builder import tag | |
156 >>> from genshi.core import TEXT | |
157 >>> from genshi.filters import Transformer | |
158 >>> from genshi.input import HTML | |
159 | |
160 >>> html = HTML('''<html> | |
161 ... <head><title>Some Title</title></head> | |
162 ... <body> | |
163 ... Some <em>body</em> text. | |
164 ... </body> | |
165 ... </html>''') | |
166 | |
167 >>> print html | Transformer('body/em').map(unicode.upper, TEXT) \ | |
168 ... .unwrap().wrap(tag.u).end() \ | |
169 ... .select('body/u') \ | |
170 ... .prepend('underlined ') | |
171 <html> | |
172 <head><title>Some Title</title></head> | |
173 <body> | |
174 Some <u>underlined BODY</u> text. | |
175 </body> | |
176 </html> | |
177 | |
178 This example sets up a transformation that: | |
179 | |
180 1. matches any `<em>` element anywhere in the body, | |
181 2. uppercases any text nodes in the element, | |
182 3. strips off the `<em>` start and close tags, | |
183 4. wraps the content in a `<u>` tag, and | |
184 5. inserts the text `underlined` inside the `<u>` tag. | |
185 | |
186 A number of commonly useful transformations are available for this filter. | |
187 Please consult the API documentation a complete list. | |
188 | |
189 In addition, you can also perform custom transformations. For example, the | |
190 following defines a transformation that changes the name of a tag: | |
191 | |
192 .. code-block:: pycon | |
193 | |
194 >>> from genshi import QName | |
195 >>> from genshi.filters.transform import ENTER, EXIT | |
196 | |
197 >>> class RenameTransformation(object): | |
198 ... def __init__(self, name): | |
199 ... self.name = QName(name) | |
200 ... def __call__(self, stream): | |
201 ... for mark, (kind, data, pos) in stream: | |
202 ... if mark is ENTER: | |
203 ... data = self.name, data[1] | |
204 ... elif mark is EXIT: | |
205 ... data = self.name | |
206 ... yield mark, (kind, data, pos) | |
207 | |
208 A transformation can be any callable object that accepts an augmented event | |
209 stream. In this case we define a class, so that we can initialize it with the | |
210 tag name. | |
211 | |
212 Custom transformations can be applied using the `apply()` method of a | |
213 transformer instance: | |
214 | |
215 .. code-block:: pycon | |
216 | |
217 >>> xform = Transformer('body//em').map(unicode.upper, TEXT) \ | |
218 >>> xform = xform.apply(RenameTransformation('u')) | |
219 >>> print html | xform | |
220 <html> | |
221 <head><title>Some Title</title></head> | |
222 <body> | |
223 Some <u>BODY</u> text. | |
224 </body> | |
225 </html> | |
226 | |
227 .. note:: The transformation filter was added in Genshi 0.5. | |
228 | |
229 | |
230 Translator | |
231 ========== | |
232 | |
233 The ``genshi.filters.i18n.Translator`` filter implements basic support for | |
234 internationalizing and localizing templates. When used as a filter, it | |
235 translates a configurable set of text nodes and attribute values using a | |
236 ``gettext``-style translation function. | |
237 | |
238 The ``Translator`` class also defines the ``extract`` class method, which can | |
239 be used to extract localizable messages from a template. | |
240 | |
241 Please refer to the API documentation for more information on this filter. | |
242 | |
243 .. note:: The translation filter was added in Genshi 0.4. |