-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
iain duncan wrote: > On Thu, 2007-27-12 at 20:08 +0200, alex bodnaru wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> hi lee, >> >> thanks for your answer. >> >> you have pointed me to another issue. >> >> now i've made a widget, with the intention to display already formated >> xhtml text segments. hence, i'd like not to escape the markup. >> >> XML() would work, if i prepend a valid xml header. i need to invoke a >> function for that somewhere in the widget class or module. >> >> would you recommend a <?python ... ?> segment? > > On a related note, I found that using tidy and beautiful soup somewhere > in the chain was worthwhile, it seems to be the most reliable way of > making sure bad xhtml wouldn't throw an exception in the template > rendering. I settled on a custom validator at the input boundary that > ran tidy on the input and (optionally) used beautiful soup to look for > bad tags. If tidy couldn't clean it up, the input got rejected. Then you > can breath easy knowing XML() won't choke and that you have filtered out > any tags you don't want for security reasons ( script, iframe, what > not ). TinyMCE of course gives you converted html entities too, but can > be bypassed if the user wants to. > > Iain > > so you say i can write a validator on output as well? alex -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQCVAwUBR3QP69pwN1sq38njAQJbXgQAhIRCGoEb/68D89YLi22BgBO+jjKZ4aAB dFYCIgHLuHoKksGYysRIiZyyqD26p0d9YoG+RdGVLvZ/Q2Kpzr+zCruP6Sb3atKI tRWpX1wg0IJVnrL1GzUGGh4LptdjFoYJmptC/IkS+23gmvjjkS39f/lKxCS4xTUl ibBpAa09Onk= =ASXO -----END PGP SIGNATURE----- --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears?hl=en -~----------~----~----~----~------~----~------~--~---
