[PHPTAL] How To Prevent HTML escaping
Bill Van Vooren
wpvanv at yahoo.com
Thu Apr 13 20:37:07 CEST 2006
Joshua,
Thanks very much.
I strip all HTML before storing it in the DB (with a
few other safety checks), so I'm confident enough to
by-pass PTPTAL's escaping mechanism.
"<div tal:content="structure my/safe/string"></div>"
works great, and "structure textile:" is very
interesting. I have a lot to learn here.
Bill
--- Joshua Paine <lists at fairsky.us> wrote:
> <div tal:content="structure my/safe/string"></div>
>
> or if you hook up textile as a phptal_tales operator
> you can do:
>
> <div tal:content="structure
> textile:safe/string/directly/from/db"></div>
>
> But remember that it is possible for users to ignore
> the textile format
> and type HTML directly into textile, so unless you
> strip tags or really
> trust your users, running it through textile doesn't
> actually make it safe.
>
> --
> Joshua Paine
> Chief Tower Builder
> LetterBlock Software
> http://letterblock.com/
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
More information about the PHPTAL
mailing list