Use autoescape in blog demo.

author Ben Darnell <ben@bendarnell.com>

Sun, 3 Mar 2013 17:09:29 +0000 (12:09 -0500)

committer Ben Darnell <ben@bendarnell.com>

Sun, 3 Mar 2013 17:09:29 +0000 (12:09 -0500)
author Ben Darnell <ben@bendarnell.com>
Sun, 3 Mar 2013 17:09:29 +0000 (12:09 -0500)
committer Ben Darnell <ben@bendarnell.com>
Sun, 3 Mar 2013 17:09:29 +0000 (12:09 -0500)
diff --git a/demos/blog/blog.py b/demos/blog/blog.py

index bff45c36cc02c022706c0592a1b4ecf2604a8531..f6487bcfbe16f0807fcda47b1149c7a7abbf89ce 100755 (executable)
--- a/demos/blog/blog.py
+++ b/demos/blog/blog.py
@@ -53,7 +53,7 @@ class Application(tornado.web.Application):
              xsrf_cookies=True,
              cookie_secret="__TODO:_GENERATE_YOUR_OWN_RANDOM_VALUE_HERE__",
              login_url="/auth/login",
-            autoescape=None,
+            debug=True,
          )
          tornado.web.Application.__init__(self, handlers, **settings)
  
diff --git a/demos/blog/templates/archive.html b/demos/blog/templates/archive.html

index dcca9511a48919ec28579363ad803d654298672a..d5014649768648f0d0996d12305ecf209d3d1380 100644 (file)
--- a/demos/blog/templates/archive.html
+++ b/demos/blog/templates/archive.html
@@ -23,7 +23,7 @@
    <ul class="archive">
      {% for entry in entries %}
        <li>
-        <div class="title"><a href="/entry/{{ entry.slug }}">{{ escape(entry.title) }}</a></div>
+        <div class="title"><a href="/entry/{{ entry.slug }}">{{ entry.title }}</a></div>
          <div class="date">{{ locale.format_date(entry.published, full_format=True, shorter=True) }}</div>
        </li>
      {% end %}
diff --git a/demos/blog/templates/compose.html b/demos/blog/templates/compose.html

index bc054b334945025ad670f49c2c39fc43d61d738d..fb8a4623158c0c99e7b775ca0a102dd9022cac9b 100644 (file)
--- a/demos/blog/templates/compose.html
+++ b/demos/blog/templates/compose.html
@@ -2,8 +2,8 @@
  
  {% block body %}
    <form action="{{ request.path }}" method="post" class="compose">
-    <div style="margin-bottom:5px"><input name="title" type="text" class="title" value="{{ escape(entry.title) if entry else "" }}"/></div>
-    <div style="margin-bottom:5px"><textarea name="markdown" rows="30" cols="40" class="markdown">{{ escape(entry.markdown) if entry else "" }}</textarea></div>
+    <div style="margin-bottom:5px"><input name="title" type="text" class="title" value="{{ entry.title if entry else "" }}"/></div>
+    <div style="margin-bottom:5px"><textarea name="markdown" rows="30" cols="40" class="markdown">{{ entry.markdown if entry else "" }}</textarea></div>
      <div>
        <div style="float:right"><a href="http://daringfireball.net/projects/markdown/syntax">{{ _("Syntax documentation") }}</a></div>
        <input type="submit" value="{{ _("Save changes") if entry else _("Publish post") }}" class="submit"/>
@@ -12,7 +12,7 @@
      {% if entry %}
        <input type="hidden" name="id" value="{{ entry.id }}"/>
      {% end %}
-    {{ xsrf_form_html() }}
+    {% module xsrf_form_html() %}
    </form>
  {% end %}
  
@@ -39,4 +39,3 @@
    //]]>
    </script>
  {% end %}
-
diff --git a/demos/blog/templates/entry.html b/demos/blog/templates/entry.html

index 43c835deadad689961480e50f0863e2477b449a5..f3f495b4968741d06231d8819189b5f181c5cf62 100644 (file)
--- a/demos/blog/templates/entry.html
+++ b/demos/blog/templates/entry.html
@@ -1,5 +1,5 @@
  {% extends "base.html" %}
  
  {% block body %}
-  {{ modules.Entry(entry) }}
+  {% module Entry(entry) %}
  {% end %}
diff --git a/demos/blog/templates/feed.xml b/demos/blog/templates/feed.xml

index c6c368656c70ee69d41d04a1351c841aa466023a..a98826c8d302376fa3a79be57911c7d4c31286a9 100644 (file)
--- a/demos/blog/templates/feed.xml
+++ b/demos/blog/templates/feed.xml
@@ -1,25 +1,25 @@
  <?xml version="1.0" encoding="utf-8"?>
  <feed xmlns="http://www.w3.org/2005/Atom">
    {% set date_format = "%Y-%m-%dT%H:%M:%SZ" %}
-  <title>{{ escape(handler.settings["blog_title"]) }}</title>
+  <title>{{ handler.settings["blog_title"] }}</title>
    {% if len(entries) > 0 %}
      <updated>{{ max(e.updated for e in entries).strftime(date_format) }}</updated>
    {% else %}
      <updated>{{ datetime.datetime.utcnow().strftime(date_format) }}</updated>
    {% end %}
    <id>http://{{ request.host }}/</id>
-  <link rel="alternate" href="http://{{ request.host }}/" title="{{ escape(handler.settings["blog_title"]) }}" type="text/html"/>
-  <link rel="self" href="{{ request.full_url() }}" title="{{ escape(handler.settings["blog_title"]) }}" type="application/atom+xml"/>
-  <author><name>{{ escape(handler.settings["blog_title"]) }}</name></author>
+  <link rel="alternate" href="http://{{ request.host }}/" title="{{ handler.settings["blog_title"] }}" type="text/html"/>
+  <link rel="self" href="{{ request.full_url() }}" title="{{ handler.settings["blog_title"] }}" type="application/atom+xml"/>
+  <author><name>{{ handler.settings["blog_title"] }}</name></author>
    {% for entry in entries %}
      <entry>
        <id>http://{{ request.host }}/entry/{{ entry.slug }}</id>
-      <title type="text">{{ escape(entry.title) }}</title>
+      <title type="text">{{ entry.title }}</title>
        <link href="http://{{ request.host }}/entry/{{ entry.slug }}" rel="alternate" type="text/html"/>
        <updated>{{ entry.updated.strftime(date_format) }}</updated>
        <published>{{ entry.published.strftime(date_format) }}</published>
        <content type="xhtml" xml:base="http://{{ request.host }}/">
-        <div xmlns="http://www.w3.org/1999/xhtml">{{ entry.html }}</div>
+        <div xmlns="http://www.w3.org/1999/xhtml">{% raw entry.html %}</div>
        </content>
      </entry>
    {% end %}
diff --git a/demos/blog/templates/home.html b/demos/blog/templates/home.html

index dd069a97f3f3861b6f1125342e4d4b2fe094a765..8e990ca56cb1beac63d95fcf63411469fcc998ac 100644 (file)
--- a/demos/blog/templates/home.html
+++ b/demos/blog/templates/home.html
@@ -2,7 +2,7 @@
  
  {% block body %}
    {% for entry in entries %}
-    {{ modules.Entry(entry) }}
+    {% module Entry(entry) %}
    {% end %}
    <div><a href="/archive">{{ _("Archive") }}</a></div>
  {% end %}
diff --git a/demos/blog/templates/modules/entry.html b/demos/blog/templates/modules/entry.html

index 27ea0d76c2ffeae2a28d5dc108728df212d47076..c8cf11a7d68b92b8ec1dc37389d3fecaca845c6c 100644 (file)
--- a/demos/blog/templates/modules/entry.html
+++ b/demos/blog/templates/modules/entry.html
@@ -1,7 +1,7 @@
  <div class="entry">
-  <h1><a href="/entry/{{ entry.slug }}">{{ escape(entry.title) }}</a></h1>
+  <h1><a href="/entry/{{ entry.slug }}">{{ entry.title }}</a></h1>
    <div class="date">{{ locale.format_date(entry.published, full_format=True, shorter=True) }}</div>
-  <div class="body">{{ entry.html }}</div>
+  <div class="body">{% raw entry.html %}</div>
    {% if current_user %}
      <div class="admin"><a href="/compose?id={{ entry.id }}">{{ _("Edit this post") }}</a></div>
    {% end %}
author	Ben Darnell <ben@bendarnell.com>
	Sun, 3 Mar 2013 17:09:29 +0000 (12:09 -0500)
committer	Ben Darnell <ben@bendarnell.com>
	Sun, 3 Mar 2013 17:09:29 +0000 (12:09 -0500)
demos/blog/blog.py		patch \| blob \| blame \| history
demos/blog/templates/archive.html		patch \| blob \| blame \| history
demos/blog/templates/compose.html		patch \| blob \| blame \| history
demos/blog/templates/entry.html		patch \| blob \| blame \| history
demos/blog/templates/feed.xml		patch \| blob \| blame \| history
demos/blog/templates/home.html		patch \| blob \| blame \| history
demos/blog/templates/modules/entry.html		patch \| blob \| blame \| history