For ``PUT`` and ``DELETE`` requests (as well as ``POST`` requests that
do not use form-encoded arguments), the XSRF token may also be passed
via an HTTP header named ``X-XSRFToken``. The XSRF cookie is normally
-set when ``xsrf_form_html`` is used, but in a pure-Javascript application
+set when ``xsrf_form_html`` is used, but in a pure-JavaScript application
that does not use any regular forms you may need to access
``self.xsrf_token`` manually (just reading the property is enough to
set the cookie as a side effect).
Note that while Tornado's automatic escaping is helpful in avoiding
XSS vulnerabilities, it is not sufficient in all cases. Expressions
-that appear in certain locations, such as in Javascript or CSS, may need
+that appear in certain locations, such as in JavaScript or CSS, may need
additional escaping. Additionally, either care must be taken to always
use double quotes and `.xhtml_escape` in HTML attributes that may contain
untrusted content, or a separate escaping function must be used for
# JSON permits but does not require forward slashes to be escaped.
# This is useful when json data is emitted in a <script> tag
# in HTML, as it prevents </script> tags from prematurely terminating
- # the javascript. Some json libraries do this escaping by default,
+ # the JavaScript. Some json libraries do this escaping by default,
# although python's standard library does not, so we do it here.
# http://stackoverflow.com/questions/1580647/json-why-are-forward-slashes-escaped
return json.dumps(value).replace("</", "<\\/")
# We do this by exploiting the public API
# add_done_callback() instead of putting a private
# attribute on the Future.
- # (Github issues #1769, #2229).
+ # (GitHub issues #1769, #2229).
runner = Runner(result, future, yielded)
future.add_done_callback(lambda _: runner)
yielded = None
@gen_test
def test_gc(self):
- # Github issue 1769: Runner objects can get GCed unexpectedly
+ # GitHub issue 1769: Runner objects can get GCed unexpectedly
# while their future is alive.
weakref_scope = [None] # type: List[Optional[weakref.ReferenceType]]
yield gen.with_timeout(datetime.timedelta(seconds=0.2), tester())
def test_gc_infinite_coro(self):
- # Github issue 2229: suspended coroutines should be GCed when
+ # GitHub issue 2229: suspended coroutines should be GCed when
# their loop is closed, even if they're involved in a reference
# cycle.
loop = self.get_new_ioloop()
Template()) instead of inheriting the outer template's namespace.
Templates rendered through this module also get access to UIModule's
- automatic javascript/css features. Simply call set_resources
+ automatic JavaScript/CSS features. Simply call set_resources
inside the template and give it keyword arguments corresponding to
the methods on UIModule: {{ set_resources(js_files=static_url("my.js")) }}
Note that these resources are output once per template file, not once
Web browsers allow any site to open a websocket connection to any other,
instead of using the same-origin policy that governs other network
- access from javascript. This can be surprising and is a potential
+ access from JavaScript. This can be surprising and is a potential
security hole, so since Tornado 4.0 `WebSocketHandler` requires
applications that wish to receive cross-origin websockets to opt in
by overriding the `~WebSocketHandler.check_origin` method (see that
projects / thirdparty / tornado.git / commitdiff
