google / py-html-contextual-escaping Goto Github PK
View Code? Open in Web Editor NEWAutomatically exported from code.google.com/p/py-html-contextual-escaping
Automatically exported from code.google.com/p/py-html-contextual-escaping
<!doctype html> <html> <head> <meta encoding="utf-8"> <title>Py HTML Contextual Autoescaping</title> <script src="https://google-code-prettify.googlecode.com/svn/loader/run_prettify.js"></script> </head> <body> <h1>A contextual autoescaper for HTML</h1> <h2>Runtime auto-escaping</h2> <p>If analysis can't be done when a template is compiled, this module provides a file-like object that provides two methods:</p> <pre class="prettyprint"> write_safe(**strings) # Called with strings that appear in template write(**values) # Called with values supplied by caller at runtime </pre> <p>so that the sequence of calls generated by a template</p> <pre class="prettyprint"> <b><i>{{ x }}</i></b> <button onclick=foo(<i>{{ y }}</i>)> </pre> produce <pre class="prettyprint"> w.write_safe('<b>') w.write('I <3 Ponies!') w.write_safe('</b>\n<button onclick=foo(') w.write({'foo': 'bar', '"baz"': 42}) w.write_safe(')>') </pre> <p>results in the output</p> <pre class="prettyprint"> <b>I &lt;3 Ponies!</b> <button onclick="foo({&#34;foo&#34;:&#34;\x22bar\x22&#34;:42})"> </pre> <p> The safe parts are treated as literal chunks of HTML/CSS/JS, and the unsafe parts are escaped to preserve security and least-surprise. For a more comprehensive example, a template like </p> <pre class="prettyprint"> <div style="color: {{user.color}}"> <a href="/{{user.color}}?q={{$user.world}}" onclick="alert('{{helper(user)}}');return false"> {{helper(user)}} </a> <script>(function () { // Sleepy developers put sensitive info in comments. var o = {{user}}, w = "{{user.world}}"; })();</script> </div> {{template helper}} Hello, {{user.world}} {{/template}} </pre> <p>might correspond to the sequence of calls</p> <pre class="prettyprint"> # Dummy input values. user = { "world": "<Cincinatti>", "color": "blue" } color = user["color"] world = user["world"] # Alternating safe and unsafe writes that implement the template. w.write_safe("<div style=\"color: ") w.write (color) w.write_safe("\">\n<a href=\"/") w.write (color) w.write_safe("?q=") w.write (world) w.write_safe("\"\n onclick=\"alert('") helper (w, user) w.write_safe("');return false\">\n ") helper (w, user) # Helper called in a different context w.write_safe("\n </a>\n <script>(function () {\n var o = ") w.write (user) w.write_safe(",\n w = \"") w.write (world) w.write_safe("\";\n })();</script>\n</div>") </pre> <p>which result in the output</p> <pre class="prettyprint"> <div style="color: blue"> <a href="/blue?q=%3cCincinatti%3e" onclick="alert('Hello, \x3cCincinatti\x3e!');return false"> Hello, <Cincinatti>! </a> <script>(function () { var o = {"Color":"blue","World":"\u003cCincinatti\u003e"}, w = "\x26lt;Cincinatti\x26gt;"; })();</script> </div> </pre> <h2>Static auto-escaping</h2> <p>If a template system's call-graph is readily statically analyzable, the <tt>escape</tt> module can be used to propagate context and pick an escaper for each interpolation of an untrusted value into the template output. </html>
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.