# HG changeset patch # User cmlenz # Date 1188933646 0 # Node ID e990fa05d80bbbc624c840456616bc6fc450a49d # Parent d03e876d9a61b483aad1ba78b4ef2f3ea1d729c8 GenshiTutorial: implement the XSS section. diff --git a/examples/tutorial/geddit/controller.py b/examples/tutorial/geddit/controller.py --- a/examples/tutorial/geddit/controller.py +++ b/examples/tutorial/geddit/controller.py @@ -4,7 +4,8 @@ import cherrypy from formencode import Invalid -from genshi.filters import HTMLFormFiller +from genshi.input import HTML +from genshi.filters import HTMLFormFiller, HTMLSanitizer from geddit.form import LinkForm, CommentForm from geddit.lib import ajax, template @@ -61,6 +62,8 @@ form = CommentForm() try: data = form.to_python(data) + markup = HTML(data['content']) | HTMLSanitizer() + data['content'] = markup.render('xhtml') comment = link.add_comment(**data) if not ajax.is_xhr(): raise cherrypy.HTTPRedirect('/info/%s' % link.id) diff --git a/examples/tutorial/geddit/static/layout.css b/examples/tutorial/geddit/static/layout.css --- a/examples/tutorial/geddit/static/layout.css +++ b/examples/tutorial/geddit/static/layout.css @@ -38,4 +38,5 @@ border-color: #aaa; color: #000; text-decoration: none; } +form p.hint { color: #666; font-size: 90%; font-style: italic; margin: 0; } form .error { color: #b00; } diff --git a/examples/tutorial/geddit/templates/_comment.html b/examples/tutorial/geddit/templates/_comment.html --- a/examples/tutorial/geddit/templates/_comment.html +++ b/examples/tutorial/geddit/templates/_comment.html @@ -1,4 +1,5 @@ +
${comment.content}+
${HTML(comment.content)}
You can use HTML tags here for formatting.