问题
如何防止Bottle - Python Web Framework中的字符转义?
背景
我正在Bottle(python)中制作一个歌曲歌词网络应用程序,并且在将所有数据插入数据库之前都在测试所有数据是否正确,因此,到目前为止,我基本上拥有一种形式,该形式具有“歌曲名称”,“艺术家” ”,“歌词”(在文本区域中),仅此而已。
提交表单时,它会加载一个包含上述三个输入值(歌曲,艺术家和歌词)的页面,并且一切都按预期工作,但是歌词的html被转义了(在将歌词发送到模板之前,我将所有\n替换为<br>)。
因此,我从this tutorial from bottlepy.org进行了研究,发现Bottle会转义html标记以防止XSS攻击,您可以通过添加“!”将其禁用。在变量名之前,真棒!我找到了解决方案,但是...当我尝试使用它时,抛出了一个错误:
错误-Screenshot of Error on computer
Exception:
SyntaxError('invalid syntax', ('H:\\Server\\htdocs\\letras\\prueba.tpl', 4, 27, "u'<div>Letra: ', _escape( !letra['letra'] ), u'</div>'])\n"))
Traceback (most recent call last):
File "H:\Server\htdocs\letras\bottle.py", line 764, in _handle
return route.call(**args)
File "H:\Server\htdocs\letras\bottle.py", line 1575, in wrapper
rv = callback(*a, **ka)
File "index.py", line 41, in guardar_letra
return template('prueba.tpl', letra = data)
File "H:\Server\htdocs\letras\bottle.py", line 3117, in template
return TEMPLATES[tplid].render(kwargs)
File "H:\Server\htdocs\letras\bottle.py", line 3090, in render
self.execute(stdout, kwargs)
File "H:\Server\htdocs\letras\bottle.py", line 3078, in execute
eval(self.co, env)
File "H:\Server\htdocs\letras\bottle.py", line 185, in __get__
value = obj.__dict__[self.func.__name__] = self.func(obj)
File "H:\Server\htdocs\letras\bottle.py", line 2977, in co
return compile(self.code, self.filename or '<string>', 'exec')
File "H:\Server\htdocs\letras\prueba.tpl", line 4
u'<div>Letra: ', _escape( !letra['letra'] ), u'</div>'])
^
SyntaxError: invalid syntax
index.py-gist on github
from bottle import Bottle, route, run, template, static_file, get, post, request, response
from passlib.hash import sha256_crypt
import MySQLdb as mdb
import time
import re
@get('/enviar')
def enviar_letra():
return template('enviar_letra.tpl')
@post('/enviar')
def guardar_letra():
titulo = request.forms.get('titulo').capitalize() # Gets the song title from the form
artista = request.forms.get('artista') # Gets the artist
letra = request.forms.get('letra') # Gets the lyrics
fecha_envio = time.strftime('%Y-%m-%d %H:%M:%S') # Date the lyrics were sent
titulo = re.sub('[^\w|!|\s|\.|,]', '', titulo) # I delete every character except: words, exclamation, spaces, dots, commas
url = titulo + "-" + artista # concatenate the song's title and the artist name to make a nice url
url = re.sub('\W+|_', '-', url).lower() # lower all the characters from the url
url = url.strip("-") # strips "-" at the beginning and the end
letra = letra.replace("\n", "<br>") # replaces \n from the lyrics text area with <br>
data = { "titulo": titulo, "artista": artista, "letra": letra, "url": url, "Fecha_envio": fecha_envio } # song dictionary
return template('prueba.tpl', letra = data) # loads prueba.tpl template and send "data" dictionary as "letra" (letra is lyric in spanish)
run(host='localhost', port=8080, debug=True)
HTML模板-gist on github
<h1>Letra de {{ letra['titulo'] }}</h1>
<h2>Por: {{ letra['artista'] }}</h2>
<div>Fecha: {{ letra['Fecha_envio'] }}</div>
<div>Letra: {{ !letra['letra'] }}</div>
如果让Bottle使我的歌词html逸出,这是它的工作方式/外观(请注意
<br>如何以纯文本形式显示):http://i.stack.imgur.com/fxz7o.png
最后,这就是它的外观
http://i.stack.imgur.com/6b58J.png
最佳答案
您需要在瓶的{{开头之后放置一个感叹号,以便识别它:
<div>Letra: {{! letra['letra'] }}</div>
最好,为了安全起见,您希望完全省略那里的空格:
<div>Letra: {{!letra['letra']}}</div>
关于python - 如何避免在Bottle Python Web框架中转义html字符?,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/17248836/