On May 6, 2007, at 2:22 AM, Qiangning Hong wrote:
>
> I'm porting from genshi to mako for my blog application, and found two
> important features lack in mako:
>
> 1. auto html escaping. I must escape explicitly in mako to avoid XSS
> attack. It's error-prone, but i can live with that.
filters can be applied across all expressions within a page using the
"escapes" attribute in <%page>, or programmatically across all
expressions in all templates within a lookup via the
"default_filters" argument to TemplateLookup.
> 2. auto close open tags in HTML. In genshi, HTML() function will
> close open tags automatically. e.g. HTML('<i>asdf') will produce
> '<i>asdf</i>'. It can avoid users' input to mess up with the page
> layout, that's very important for a system allowing users to input
> html directly.
Mako doesnt follow a filtering model the way Genshi does, and does
not have any awareness of "markup" within the output of a template.
also i would not advise allowing user-entered text to be processed
directly by Mako since a Mako template is essentially a Python module
with different syntax; users could execute any arbitrary Python
code. Theres no reason though you cant use Genshi's HTML() function
for processing user input and embed the sanitized content via the
HTMLSanitizer within the context of a Mako-based layout. if you
wanted this form of processing to occur for developer-created
templates, it could be established as a template preprocessor using
the "preprocessor" argument to Template or TemplateLookup, which
would process the markup appropriately before sending to Mako's
parser. it would require that genshi's processor doesnt trip up on
Mako's specific syntaxes.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/pylons-discuss?hl=en
-~----------~----~----~----~------~----~------~--~---
