You are telling me you are storing this
"<h1> Some Title </h1> <img src='{{=URL('static','images/python.gif')}}>"
in db? From a technical standpoint you can do:
XML(reponse.render(pageElementsTable.content_block)) but this MAY introduce
a major vulnerability, depending on where the content comes from. The
response render is not just evaluating {{=URL...}}. It will evaluate any
CODE present in within {{...}} in pageElementsTable.content_block.
I would never use {{...}} in HTML stored in database. There is always a
better option. Details depend on what you are trying to achieve. For
example, if you problem is allowing to link static files from HTML in
database I would do:
content_block = '<h1> Some Title </h1> <img src="$STATIC/mages/
python.gif"/>'
XML(pageElementsTable.
content_block.replace('$STATIC',URL('static','x')[:-1]),sanitize=True)
On Monday, 22 July 2013 04:48:05 UTC-5, [email protected] wrote:
>
> Thanks Massimo, I've completely missed that.
>
> But in my case, I'm reading this html from db. So it is:
>
> content_block = XML(pageElementsTable.content_block, sanitize=False)
>
> actually.
>
> So, if I keep html content of a page with IMG, A, SRCs, HREFs, etc in db,
> how to pass it to the view to properly visualize in browser?
>
> On Monday, July 22, 2013 11:52:36 AM UTC+3, Massimo Di Pierro wrote:
>>
>> You cannot use the template language inside a string. You can use inside
>> a template file.
>>
>> content_block = XML("h1> Some Title </h1> <img
>> src='{{=URL('static','images/python.gif')}}>",
>>
>> should be
>>
>> content_block = XML('<h1>Some Title</h1> <img src="%s" />' %
>> URL('static','images/python.gif'))
>>
>> On Monday, 22 July 2013 00:20:07 UTC-5, [email protected] wrote:
>>>
>>> Hi!
>>>
>>> Know that I missing something obvious here, but still:
>>>
>>> I store parts of page to be displayed in db, in html code, and return it
>>> to view, so content from db is in content_block var:
>>>
>>> def get_block():
>>> [some other code]
>>> content_block = XML("h1> Some Title </h1> <img
>>> src='{{=URL('static','images/python.gif')}}>", sanitize=False
>>> return dict(form=form, content_block = content_block)
>>>
>>>
>>> view:
>>> {{extend 'layout.html'}}
>>> {{=form}}
>>> {{block content_block}} {{=content_block}} {{end}}
>>>
>>> but it turns out that URL helper is not executed when passed to view in
>>> an variable, so I get <img src="{{=URL(" static',images=""
>>> python.gif')}}=""> in the browser.
>>> Probably the view gets constructed (parsed) before vars passed to it are
>>> added.
>>>
>>> So, what is the best way to pass HTML parts with helpers (for IMG, A,
>>> etc) to view in an variable and still use the advantages of URL helper?
>>> I don't like the idea of statically setting links in html parts.
>>>
>>>
>>>
--
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
