def nl2br(value):
"""nl2br(value : any) -> htmltext
Insert <br /> tags before newline characters.
"""
text = htmlescape(value)
return htmltext(text.s.replace('\n', '<br />\n'))
def nl2br(value):
"""nl2br(value : any) -> htmltext
Insert <br /> tags before newline characters.
"""
text = htmlescape(value)
return htmltext(text.s.replace('\n', '<br />\n'))
def htmltag(tag, xml_end=0, css_class=None, **attrs):
"""Create a HTML tag.
"""
r = ["<%s" % tag]
if css_class is not None:
attrs['class'] = css_class
for (attr, val) in attrs.items():
if val is ValuelessAttr:
val = attr
if val is not None:
r.append(' %s="%s"' % (attr, htmlescape(val)))
if xml_end:
r.append(" />")
else:
r.append(">")
return htmltext("".join(r))
def href(url, text, title=None, **attrs):
return (htmltag("a", href=url, title=title, **attrs) +
htmlescape(text) +
htmltext("</a>"))
"""Various functions for dealing with HTML.
These functions are fairly simple but it is critical that they be
used correctly. Many security problems are caused by quoting errors
(cross site scripting is one example). The HTML and XML standards on
www.w3c.org and www.xml.com should be studied, especially the sections
on character sets, entities, attribute and values.
htmltext and htmlescape
-----------------------
This type and function are meant to be used with [html] PTL template type.
The htmltext type designates data that does not need to be escaped and the
htmlescape() function calls str() on the argment, escapes the resulting
string and returns a htmltext instance. htmlescape() does nothing to
htmltext instances.
html_quote
----------
Use for quoting data that will be used within attribute values or as
element contents (if the [html] template type is not being used).
Examples:
'<title>%s</title>' % html_quote(title)
'<input type="hidden" value="%s" />' % html_quote(data)
'<a href="%s">something</a>' % html_quote(url)
Note that the \" character should be used to surround attribute values.
def href(url, text, title=None, **attrs):
return (htmltag("a", href=url, title=title, **attrs) + htmlescape(text) +
htmltext("</a>"))
"""Various functions for dealing with HTML.
$HeadURL: svn+ssh://svn/repos/trunk/quixote/html.py $
$Id$
These functions are fairly simple but it is critical that they be
used correctly. Many security problems are caused by quoting errors
(cross site scripting is one example). The HTML and XML standards on
www.w3c.org and www.xml.com should be studied, especially the sections
on character sets, entities, attribute and values.
htmltext and htmlescape
-----------------------
This type and function are meant to be used with [html] PTL template type.
The htmltext type designates data that does not need to be escaped and the
htmlescape() function calls str() on the argment, escapes the resulting
string and returns a htmltext instance. htmlescape() does nothing to
htmltext instances.
html_quote
----------
Use for quoting data that will be used within attribute values or as
element contents (if the [html] template type is not being used).
Examples:
'<title>%s</title>' % html_quote(title)
'<input type="hidden" value="%s" />' % html_quote(data)
'<a href="%s">something</a>' % html_quote(url)