# HG changeset patch
# User cmlenz
# Date 1188933646 0
# Node ID e990fa05d80bbbc624c840456616bc6fc450a49d
# Parent  d03e876d9a61b483aad1ba78b4ef2f3ea1d729c8
GenshiTutorial: implement the XSS section.

diff --git a/examples/tutorial/geddit/controller.py b/examples/tutorial/geddit/controller.py
--- a/examples/tutorial/geddit/controller.py
+++ b/examples/tutorial/geddit/controller.py
@@ -4,7 +4,8 @@
 
 import cherrypy
 from formencode import Invalid
-from genshi.filters import HTMLFormFiller
+from genshi.input import HTML
+from genshi.filters import HTMLFormFiller, HTMLSanitizer
 
 from geddit.form import LinkForm, CommentForm
 from geddit.lib import ajax, template
@@ -61,6 +62,8 @@
             form = CommentForm()
             try:
                 data = form.to_python(data)
+                markup = HTML(data['content']) | HTMLSanitizer()
+                data['content'] = markup.render('xhtml')
                 comment = link.add_comment(**data)
                 if not ajax.is_xhr():
                     raise cherrypy.HTTPRedirect('/info/%s' % link.id)
diff --git a/examples/tutorial/geddit/static/layout.css b/examples/tutorial/geddit/static/layout.css
--- a/examples/tutorial/geddit/static/layout.css
+++ b/examples/tutorial/geddit/static/layout.css
@@ -38,4 +38,5 @@
   border-color: #aaa; color: #000; text-decoration: none;
 }
 
+form p.hint { color: #666; font-size: 90%; font-style: italic; margin: 0; }
 form .error { color: #b00; }
diff --git a/examples/tutorial/geddit/templates/_comment.html b/examples/tutorial/geddit/templates/_comment.html
--- a/examples/tutorial/geddit/templates/_comment.html
+++ b/examples/tutorial/geddit/templates/_comment.html
@@ -1,4 +1,5 @@
+<?python from genshi import HTML ?>
 <li id="comment$num">
   <strong>${comment.username}</strong> at ${comment.time.strftime('%x %X')}
-  <blockquote>${comment.content}</blockquote>
+  <blockquote>${HTML(comment.content)}</blockquote>
 </li>
diff --git a/examples/tutorial/geddit/templates/_form.html b/examples/tutorial/geddit/templates/_form.html
--- a/examples/tutorial/geddit/templates/_form.html
+++ b/examples/tutorial/geddit/templates/_form.html
@@ -12,6 +12,7 @@
     <td>
       <textarea id="comment" name="content" rows="6" cols="50"></textarea>
       <span py:if="'content' in errors" class="error"><br />${errors.content}</span>
+      <p class="hint">You can use HTML tags here for formatting.</p>
     </td>
   </tr><tr>
     <td></td>
diff --git a/examples/tutorial/geddit/templates/info.xml b/examples/tutorial/geddit/templates/info.xml
--- a/examples/tutorial/geddit/templates/info.xml
+++ b/examples/tutorial/geddit/templates/info.xml
@@ -6,10 +6,11 @@
   <id href="${url('/info/%s/' % link.id)}"/>
   <link rel="alternate" href="${url('/info/%s/' % link.id)}" type="text/html"/>
   <link rel="self" href="${url('/feed/%s/' % link.id)}" type="application/atom+xml"/>
-  <updated py:with="time=link.comments and link.comments)[-1].time or link.time">
+  <updated py:with="time=link.comments and link.comments[-1].time or link.time">
     ${time.isoformat()}
   </updated>
 
+  <?python from genshi import HTML ?>
   <entry py:for="idx, comment in enumerate(reversed(link.comments))">
     <title>Comment ${len(link.comments) - idx} on “${link.title}”</title>
     <link rel="alternate" href="${url('/info/%s/' % link.id)}#comment${idx}"
@@ -19,7 +20,9 @@
       <name>${comment.username}</name>
     </author>
     <updated>${comment.time.isoformat()}</updated>
-    <content>${comment.content}</content>
+    <content type="xhtml"><div xmlns="http://www.w3.org/1999/xhtml">
+      ${HTML(comment.content)}
+    </div></content>
   </entry>
 
 </feed>