Massimo, thanks again. I'm aware of security risks, the html in db is just
legacy static pages, no user input there, ever. I'm just converting static
pages to dynamic website with apps.
But your suggestion to use replace looks even better!
On Monday, July 22, 2013 1:57:20 PM UTC+3, Massimo Di Pierro wrote:
>
> You are telling me you are storing this
>
> "<h1> Some Title </h1> <img src='{{=URL('static','images/python.gif')}}>"
>
> in db? From a technical standpoint you can do:
>
> XML(reponse.render(pageElementsTable.content_block)) but this MAY
> introduce a major vulnerability, depending on where the content comes from.
> The response render is not just evaluating {{=URL...}}. It will evaluate
> any CODE present in within {{...}} in pageElementsTable.content_block.
>
> I would never use {{...}} in HTML stored in database. There is always a
> better option. Details depend on what you are trying to achieve. For
> example, if you problem is allowing to link static files from HTML in
> database I would do:
>
> content_block = '<h1> Some Title </h1> <img src="$STATIC/mages/
> python.gif"/>'
>
> XML(pageElementsTable.
> content_block.replace('$STATIC',URL('static','x')[:-1]),sanitize=True)
>
>
> On Monday, 22 July 2013 04:48:05 UTC-5, shapova...@gmail.com wrote:
>>
>> Thanks Massimo, I've completely missed that.
>>
>> But in my case, I'm reading this html from db. So it is:
>>
>> content_block = XML(pageElementsTable.content_block, sanitize=False)
>>
>> actually.
>>
>> So, if I keep html content of a page with IMG, A, SRCs, HREFs, etc in
>> db, how to pass it to the view to properly visualize in browser?
>>
>> On Monday, July 22, 2013 11:52:36 AM UTC+3, Massimo Di Pierro wrote:
>>>
>>> You cannot use the template language inside a string. You can use inside
>>> a template file.
>>>
>>> content_block = XML("h1> Some Title </h1> <img
>>> src='{{=URL('static','images/python.gif')}}>",
>>>
>>> should be
>>>
>>> content_block = XML('<h1>Some Title</h1> <img src="%s" />' %
>>> URL('static','images/python.gif'))
>>>
>>> On Monday, 22 July 2013 00:20:07 UTC-5, shapova...@gmail.com wrote:
>>>>
>>>> Hi!
>>>>
>>>> Know that I missing something obvious here, but still:
>>>>
>>>> I store parts of page to be displayed in db, in html code, and return
>>>> it to view, so content from db is in content_block var:
>>>>
>>>> def get_block():
>>>> [some other code]
>>>> content_block = XML("h1> Some Title </h1> <img
>>>> src='{{=URL('static','images/python.gif')}}>", sanitize=False
>>>> return dict(form=form, content_block = content_block)
>>>>
>>>>
>>>> view:
>>>> {{extend 'layout.html'}}
>>>> {{=form}}
>>>> {{block content_block}} {{=content_block}} {{end}}
>>>>
>>>> but it turns out that URL helper is not executed when passed to view in
>>>> an variable, so I get <img src="{{=URL(" static',images=""
>>>> python.gif')}}=""> in the browser.
>>>> Probably the view gets constructed (parsed) before vars passed to it
>>>> are added.
>>>>
>>>> So, what is the best way to pass HTML parts with helpers (for IMG, A,
>>>> etc) to view in an variable and still use the advantages of URL helper?
>>>> I don't like the idea of statically setting links in html parts.
>>>>
>>>>
>>>>
--
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
