Building Data-Driven Web Apps with Pyramid and SQLAlchemy Transcripts
Chapter: Chameleon templates
Lecture: Concept: Templates
Login or
purchase this course
to watch this video and the rest of the course contents.
0:00
Let's quickly review what we just saw in action.
0:02
So we saw that we can use the TAL
0:04
the template attribute language
0:07
to control most of the things we do here.
0:10
So for example if we want to have something
0:12
not shown, if there's no categories
0:14
or shown when there are categories
0:16
then we can use the tal:condition.
0:19
If we have a set of objects, or some sort of variable
0:22
we can say tal:repeat.
0:24
Here we're going to say for each category I want
0:26
to replicate this div.
0:30
So loops are written with tal:repeat.
0:32
Anytime we want to output some form of a string
0:35
like for the source attribute on it's image
0:37
we want to say well it's the image URL
0:39
or the text is c.category, things like that.
0:43
We use this curly bracket expression
0:47
if we want to test something true or not.
0:50
Optionally show or hide some segment
0:53
say tal:condition
0:54
then we put any truthy or falsey statement in Python
0:58
so not categories or categories that's in intervals
1:01
so our list it's going to be true if it's not none
1:06
and it's not empty.
1:07
Otherwise, nothing.
1:08
So it's the perfect test for us here in Python.
1:12
One thing you need to be aware of is
1:14
this is generally a good thing
1:16
is that when you say ${} expression
1:21
that tries to protect you from any form of injection attack.
1:25
So imagine you're creating a comment section
1:28
at the bottom of a book store.
1:30
Somebody could go and say well my comment
1:31
is angle bracket, script evil java scripty right?
1:37
So in order to protect you from that
1:40
Chameleon will actually, HTML escape
1:42
anything that it prints out there.
1:44
So if category had some kind of HTML in it
1:47
say it were bold or something, it shouldn't be
1:49
but let's say it did
1:50
if it had some kind of text in there that was HTML
1:55
it would appear as view source to the user
1:58
if you did it this way.
1:59
So, if you want to actually show the HTML
2:02
you have to say structure: for raw HTML
2:06
and then it'll just drop it in there
2:07
and the browser will interpret it as HTML.
2:09
Be extremely careful here.
2:11
Make sure whatever exp is
2:13
that does not come from user input
2:15
that comes from you, maybe some kind of CMS or somewhere
2:18
where it has trusted input and it won't be
2:21
some kind of injection attack.
2:23
That's the basics of Chameleon.