On Jul 6, 12:12 am, "Neil Blakey-Milner" <[EMAIL PROTECTED]> wrote:
> On 7/6/07, Mike Orr <[EMAIL PROTECTED]> wrote:
>
> > A well-formed template doesn't necessarily mean the output is
> > well-formed, especially if HTML markup is inserted via placeholder
> > variables. Sometimes the source is legacy data or outside your
> > control.
>
> I'm not sure you are right on this. As far as I understand, if you
> use HTML(foo) in Genshi, it'll convert that to a markup stream. When
> you use it in py:replace, py:content, or ${}, you'll convert the
> non-well-formed HTML to the output format (ie, XHTML, HTML4, &c.)
> specified in the template engine.
Yeah, in Genshi ${'<>'} outputs <>. It's *possible* to create
malformed output in Genshi using the Markup object to include raw
content, but this is not recommended. As Neil mentions the HTML()
function will parse the content to include in the stream and will
produce a well-formed set of tags. Genshi doesn't verify that the
output is valid at the DTD level, but the output will be well-formed.
However, as everyone's said, you don't need to use Genshi to verify
well-formed-ness. IMO Genshi's implicit escaping of variables for
[X]HTML output is more important for preventing XSS than for
guaranteeing valid output (though I should follow up on this since I
think Mako could do some stuff to handle escaping too). That said,
when I mention Genshi to people I often encourage them to look at Mako
too since I think both are good tools to create great apps. Choosing
one comes down to what you need for your application and a bit of
personal preferences.
-- Matt
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/pylons-discuss?hl=en
-~----------~----~----~----~------~----~------~--~---
