Building Data-Driven Web Apps with Pyramid and SQLAlchemy Transcripts
Chapter: Chameleon templates
Lecture: Concept: Templates

Login or purchase this course to watch this video and the rest of the course contents.
0:00 Let's quickly review what we just saw in action.
0:02 So we saw that we can use the TAL
0:04 the template attribute language
0:07 to control most of the things we do here.
0:10 So for example if we want to have something
0:12 not shown, if there's no categories
0:14 or shown when there are categories
0:16 then we can use the tal:condition.
0:19 If we have a set of objects, or some sort of variable
0:22 we can say tal:repeat.
0:24 Here we're going to say for each category I want
0:26 to replicate this div.
0:30 So loops are written with tal:repeat.
0:32 Anytime we want to output some form of a string
0:35 like for the source attribute on it's image
0:37 we want to say well it's the image URL
0:39 or the text is c.category, things like that.
0:43 We use this curly bracket expression
0:47 if we want to test something true or not.
0:50 Optionally show or hide some segment
0:53 say tal:condition
0:54 then we put any truthy or falsey statement in Python
0:58 so not categories or categories that's in intervals
1:01 so our list it's going to be true if it's not none
1:06 and it's not empty.
1:07 Otherwise, nothing.
1:08 So it's the perfect test for us here in Python.
1:12 One thing you need to be aware of is
1:14 this is generally a good thing
1:16 is that when you say ${} expression
1:21 that tries to protect you from any form of injection attack.
1:25 So imagine you're creating a comment section
1:28 at the bottom of a book store.
1:30 Somebody could go and say well my comment
1:31 is angle bracket, script evil java scripty right?
1:37 So in order to protect you from that
1:40 Chameleon will actually, HTML escape
1:42 anything that it prints out there.
1:44 So if category had some kind of HTML in it
1:47 say it were bold or something, it shouldn't be
1:49 but let's say it did
1:50 if it had some kind of text in there that was HTML
1:55 it would appear as view source to the user
1:58 if you did it this way.
1:59 So, if you want to actually show the HTML
2:02 you have to say structure: for raw HTML
2:06 and then it'll just drop it in there
2:07 and the browser will interpret it as HTML.
2:09 Be extremely careful here.
2:11 Make sure whatever exp is
2:13 that does not come from user input
2:15 that comes from you, maybe some kind of CMS or somewhere
2:18 where it has trusted input and it won't be
2:21 some kind of injection attack.
2:23 That's the basics of Chameleon.