Add autoescape application setting and convert chatdemo to use it.

diff --git a/demos/chat/chatdemo.py b/demos/chat/chatdemo.py
index b9ad716b21116889f97b023402a3ff049f2339fd..48f8a908ec73bf165c910093e791282c485e98f7 100755 (executable)
--- a/demos/chat/chatdemo.py
+++ b/demos/chat/chatdemo.py
@@ -43,6 +43,7 @@ class Application(tornado.web.Application):
             template_path=os.path.join(os.path.dirname(__file__), "templates"),
             static_path=os.path.join(os.path.dirname(__file__), "static"),
             xsrf_cookies=True,
+            autoescape="xhtml_escape",
         )
         tornado.web.Application.__init__(self, handlers, **settings)
 

diff --git a/demos/chat/templates/index.html b/demos/chat/templates/index.html
index de051d852bb7c65c88003d4b60d6e5e2cdb32786..c38190b19dd83dc8f3d75aed9cdcceb5040c9567 100644 (file)
--- a/demos/chat/templates/index.html
+++ b/demos/chat/templates/index.html
@@ -7,7 +7,7 @@
   </head>
   <body>
     <div id="nav">
-      <b>{{ escape(current_user["name"]) }}</b> -
+      <b>{{ current_user["name"] }}</b> -
       <a href="/auth/logout">{{ _("Sign out") }}</a>
     </div>
     <div id="body">
@@ -24,7 +24,7 @@
               <td style="padding-left:5px">
                 <input type="submit" value="{{ _("Post") }}"/>
                 <input type="hidden" name="next" value="{{ request.path }}"/>
-                {{ xsrf_form_html() }}
+                {% raw xsrf_form_html() %}
               </td>
             </tr>
           </table>

diff --git a/demos/chat/templates/message.html b/demos/chat/templates/message.html
index 20edbe7a6311abd12d38559a352818fd790621b3..64d2f67f5c874891d2e50a2e293894270089f1c8 100644 (file)
--- a/demos/chat/templates/message.html
+++ b/demos/chat/templates/message.html
@@ -1,2 +1 @@
-{% import tornado.escape %}
-<div class="message" id="m{{ message["id"] }}"><b>{{ escape(message["from"]) }}: </b>{{ tornado.escape.linkify(message["body"]) }}</div>
+<div class="message" id="m{{ message["id"] }}"><b>{{ message["from"] }}: </b>{% raw linkify(message["body"]) %}</div>

diff --git a/tornado/web.py b/tornado/web.py
index ecc686feeeb1c56667adf201274c0c05deb50492..adcfae3c7d0ee024ea15882dc6c1eda33b3ebfa8 100644 (file)
--- a/tornado/web.py
+++ b/tornado/web.py
@@ -543,8 +543,7 @@ class RequestHandler(object):
         if not getattr(RequestHandler, "_templates", None):
             RequestHandler._templates = {}
         if template_path not in RequestHandler._templates:
-            loader = self.application.settings.get("template_loader") or\
-              template.Loader(template_path)
+            loader = self.create_template_loader(template_path)
             RequestHandler._templates[template_path] = loader
         t = RequestHandler._templates[template_path].load(template_name)
         args = dict(
@@ -561,6 +560,18 @@ class RequestHandler(object):
         args.update(kwargs)
         return t.generate(**args)
 
+    def create_template_loader(self, template_path):
+        settings = self.application.settings
+        if "template_loader" in settings:
+            return settings["template_loader"]
+        kwargs = {}
+        if "autoescape" in settings:
+            # autoescape=None means "no escaping", so we have to be sure
+            # to only pass this kwarg if the user asked for it.
+            kwargs["autoescape"] = settings["autoescape"]
+        return template.Loader(template_path, **kwargs)
+
+
     def flush(self, include_footers=False):
         """Flushes the current output buffer to the network."""
         if self.application._wsgi: