Add autoescape application setting and convert chatdemo to use it.

2011-05-30 19:03:54 -07:00 · 2011-05-30 19:03:54 -07:00 · 6a85be4577
parent ebe191e1bf
commit 6a85be4577
4 changed files with 17 additions and 6 deletions
--- a/demos/chat/chatdemo.py
+++ b/demos/chat/chatdemo.py
@ -43,6 +43,7 @@ class Application(tornado.web.Application):
            template_path=os.path.join(os.path.dirname(__file__), "templates"),
            static_path=os.path.join(os.path.dirname(__file__), "static"),
            xsrf_cookies=True,
+            autoescape="xhtml_escape",
        )
        tornado.web.Application.__init__(self, handlers, **settings)

--- a/demos/chat/templates/index.html
+++ b/demos/chat/templates/index.html
@ -7,7 +7,7 @@
  </head>
  <body>
    <div id="nav">
-      <b>{{ escape(current_user["name"]) }}</b> -
+      <b>{{ current_user["name"] }}</b> -
      <a href="/auth/logout">{{ _("Sign out") }}</a>
    </div>
    <div id="body">
@ -24,7 +24,7 @@
              <td style="padding-left:5px">
                <input type="submit" value="{{ _("Post") }}"/>
                <input type="hidden" name="next" value="{{ request.path }}"/>
-                {{ xsrf_form_html() }}
+                {% raw xsrf_form_html() %}
              </td>
            </tr>
          </table>
--- a/demos/chat/templates/message.html
+++ b/demos/chat/templates/message.html
@ -1,2 +1 @@
-{% import tornado.escape %}
-<div class="message" id="m{{ message["id"] }}"><b>{{ escape(message["from"]) }}: </b>{{ tornado.escape.linkify(message["body"]) }}</div>
+<div class="message" id="m{{ message["id"] }}"><b>{{ message["from"] }}: </b>{% raw linkify(message["body"]) %}</div>
--- a/tornado/web.py
+++ b/tornado/web.py
@ -543,8 +543,7 @@ class RequestHandler(object):
        if not getattr(RequestHandler, "_templates", None):
            RequestHandler._templates = {}
        if template_path not in RequestHandler._templates:
-            loader = self.application.settings.get("template_loader") or\
-              template.Loader(template_path)
+            loader = self.create_template_loader(template_path)
            RequestHandler._templates[template_path] = loader
        t = RequestHandler._templates[template_path].load(template_name)
        args = dict(
@ -561,6 +560,18 @@ class RequestHandler(object):
        args.update(kwargs)
        return t.generate(**args)

+    def create_template_loader(self, template_path):
+        settings = self.application.settings
+        if "template_loader" in settings:
+            return settings["template_loader"]
+        kwargs = {}
+        if "autoescape" in settings:
+            # autoescape=None means "no escaping", so we have to be sure
+            # to only pass this kwarg if the user asked for it.
+            kwargs["autoescape"] = settings["autoescape"]
+        return template.Loader(template_path, **kwargs)
+
+
    def flush(self, include_footers=False):
        """Flushes the current output buffer to the network."""
        if self.application._wsgi: