如何防止web2py自动编码html实体?
[英]How can I prevent web2py from automagically encoding html-entities?
问题描述
I'm trying to print out HTML generated for user-submitter markdown , by 
我正在尝试打印出为用户提交者markdown生成的HTML
{{=markdown(post.message)}}
where markdown function is imported through 通过输入降价功能的地方
from gluon.contrib.markdown.markdown2 import markdown
We2Py seems to automatically encode HTML-Entities, so every < is converted into < We2Py似乎自动编码HTML-Entities,因此每个<转换为< and every > is converted into > 并且每个>都转换为> . 。 How do I prevent this from happening? 我该如何防止这种情况发生?
Are there any security concerns that I'll need to keep in mind while doing so? 在这样做时我是否需要记住任何安全问题? Also, could anyone kindly tell me how can I strip the HTML when storing it in the database, while retaining the markdown ? 此外,有人可以告诉我如何在将数据存储到数据库时删除HTML ,同时保留markdown ?
1 个解决方案
解决方案1
9 已采纳 2012-03-13 07:10:48
You have to do this: 你必须这样做:
{{=XML(markdown(post.message))}}
every string is sanitized by template render, if you pass "<div>" it will be rendered as "<div>" 每个字符串都通过模板渲染进行清理,如果传递"<div>" ,它将呈现为"<div>" it is to protect against malicious code. 它是为了防范恶意代码。
When you pass a string to XML helper XML("<div>") it uses an XML parser to render the string in to an XML tree structure, XML has a method .xml() which returns the unescaped string to the response.body so the user's browser have the correct html. 当您将字符串传递给XML帮助程序XML("<div>")它使用XML解析器将字符串呈现为XML树结构, XML具有方法.xml() ,该方法将非转义字符串返回给response.body所以用户的浏览器有正确的HTML。
you can control some parameters of XML rendering. 您可以控制XML呈现的一些参数。
:param text: the XML text
:param sanitize: sanitize text using the permitted tags and allowed attributes (default False)
:param permitted_tags: list of permitted tags (default: simple list of tags)
:param allowed_attributes: dictionary of allowed attributed
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.