On Thu, 2007-27-12 at 20:08 +0200, alex bodnaru wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > hi lee, > > thanks for your answer. > > you have pointed me to another issue. > > now i've made a widget, with the intention to display already formated > xhtml text segments. hence, i'd like not to escape the markup. > > XML() would work, if i prepend a valid xml header. i need to invoke a > function for that somewhere in the widget class or module. > > would you recommend a <?python ... ?> segment?
On a related note, I found that using tidy and beautiful soup somewhere in the chain was worthwhile, it seems to be the most reliable way of making sure bad xhtml wouldn't throw an exception in the template rendering. I settled on a custom validator at the input boundary that ran tidy on the input and (optionally) used beautiful soup to look for bad tags. If tidy couldn't clean it up, the input got rejected. Then you can breath easy knowing XML() won't choke and that you have filtered out any tags you don't want for security reasons ( script, iframe, what not ). TinyMCE of course gives you converted html entities too, but can be bypassed if the user wants to. Iain --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears?hl=en -~----------~----~----~----~------~----~------~--~---
