http://web2py.com/books/default/chapter/29/05#XML
Epydoc:
http://www.web2py.com/examples/static/epydoc/web2py.gluon.html.XML-class.html#__init__
XML
XML
XML is an object used to encapsulate text that should not be escaped. The text may or may not contain valid XML. For example, it could contain JavaScript.
The text in this example is escaped:
>>> print DIV("<b>hello</b>")
<b>hello</b>
by using
XML you can prevent escaping:>>> print DIV(XML("<b>hello</b>"))
<b>hello</b>
Sometimes you want to render HTML stored in a variable, but the HTML may contain unsafe tags such as scripts:
>>> print XML('<script>alert("unsafe!")</script>')
<script>alert("unsafe!")</script>
Un-escaped executable input such as this (for example, entered in the body of a comment in a blog) is unsafe, because it can be used to generate Cross Site Scripting (XSS) attacks against other visitors to the page.
sanitize
The web2py
XML helper can sanitize our text to prevent injections and escape all tags except those that you explicitly allow. Here is an example:>>> print XML('<script>alert("unsafe!")</script>', sanitize=True)
<script>alert("unsafe!")</script>
The
XML constructors, by default, consider the content of some tags and some of their attributes safe. You can override the defaults using the optional permitted_tags and allowed_attributes arguments. Here are the default values of the optional arguments of the XML helper.XML(text, sanitize=False,
permitted_tags=['a', 'b', 'blockquote', 'br/', 'i', 'li',
'ol', 'ul', 'p', 'cite', 'code', 'pre', 'img/'],
allowed_attributes={'a':['href', 'title'],
'img':['src', 'alt'], 'blockquote':['type']})
No comments:
Post a Comment