Mercurial > genshi > mirror
changeset 631:e990fa05d80b trunk
GenshiTutorial: implement the XSS section.
author | cmlenz |
---|---|
date | Tue, 04 Sep 2007 19:20:46 +0000 |
parents | d03e876d9a61 |
children | e5c57d7611f2 |
files | examples/tutorial/geddit/controller.py examples/tutorial/geddit/static/layout.css examples/tutorial/geddit/templates/_comment.html examples/tutorial/geddit/templates/_form.html examples/tutorial/geddit/templates/info.xml |
diffstat | 5 files changed, 13 insertions(+), 4 deletions(-) [+] |
line wrap: on
line diff
--- a/examples/tutorial/geddit/controller.py +++ b/examples/tutorial/geddit/controller.py @@ -4,7 +4,8 @@ import cherrypy from formencode import Invalid -from genshi.filters import HTMLFormFiller +from genshi.input import HTML +from genshi.filters import HTMLFormFiller, HTMLSanitizer from geddit.form import LinkForm, CommentForm from geddit.lib import ajax, template @@ -61,6 +62,8 @@ form = CommentForm() try: data = form.to_python(data) + markup = HTML(data['content']) | HTMLSanitizer() + data['content'] = markup.render('xhtml') comment = link.add_comment(**data) if not ajax.is_xhr(): raise cherrypy.HTTPRedirect('/info/%s' % link.id)
--- a/examples/tutorial/geddit/static/layout.css +++ b/examples/tutorial/geddit/static/layout.css @@ -38,4 +38,5 @@ border-color: #aaa; color: #000; text-decoration: none; } +form p.hint { color: #666; font-size: 90%; font-style: italic; margin: 0; } form .error { color: #b00; }
--- a/examples/tutorial/geddit/templates/_comment.html +++ b/examples/tutorial/geddit/templates/_comment.html @@ -1,4 +1,5 @@ +<?python from genshi import HTML ?> <li id="comment$num"> <strong>${comment.username}</strong> at ${comment.time.strftime('%x %X')} - <blockquote>${comment.content}</blockquote> + <blockquote>${HTML(comment.content)}</blockquote> </li>
--- a/examples/tutorial/geddit/templates/_form.html +++ b/examples/tutorial/geddit/templates/_form.html @@ -12,6 +12,7 @@ <td> <textarea id="comment" name="content" rows="6" cols="50"></textarea> <span py:if="'content' in errors" class="error"><br />${errors.content}</span> + <p class="hint">You can use HTML tags here for formatting.</p> </td> </tr><tr> <td></td>
--- a/examples/tutorial/geddit/templates/info.xml +++ b/examples/tutorial/geddit/templates/info.xml @@ -6,10 +6,11 @@ <id href="${url('/info/%s/' % link.id)}"/> <link rel="alternate" href="${url('/info/%s/' % link.id)}" type="text/html"/> <link rel="self" href="${url('/feed/%s/' % link.id)}" type="application/atom+xml"/> - <updated py:with="time=link.comments and link.comments)[-1].time or link.time"> + <updated py:with="time=link.comments and link.comments[-1].time or link.time"> ${time.isoformat()} </updated> + <?python from genshi import HTML ?> <entry py:for="idx, comment in enumerate(reversed(link.comments))"> <title>Comment ${len(link.comments) - idx} on “${link.title}”</title> <link rel="alternate" href="${url('/info/%s/' % link.id)}#comment${idx}" @@ -19,7 +20,9 @@ <name>${comment.username}</name> </author> <updated>${comment.time.isoformat()}</updated> - <content>${comment.content}</content> + <content type="xhtml"><div xmlns="http://www.w3.org/1999/xhtml"> + ${HTML(comment.content)} + </div></content> </entry> </feed>