Building Data-Driven Web Apps with Pyramid and SQLAlchemy Transcripts
Chapter: Chameleon templates
Lecture: Concept: Templates

Learn more about this course
Login or purchase this course to watch this video and the rest of the course contents.
0:00 Let's quickly review what we just saw in action. So we saw that we can use the TAL the template attribute language
0:08 to control most of the things we do here. So for example if we want to have something not shown, if there's no categories
0:15 or shown when there are categories then we can use the tal:condition. If we have a set of objects, or some sort of variable we can say tal:repeat.
0:25 Here we're going to say for each category I want to replicate this div. So loops are written with tal:repeat.
0:33 Anytime we want to output some form of a string like for the source attribute on it's image we want to say well it's the image URL
0:40 or the text is c.category, things like that. We use this curly bracket expression if we want to test something true or not.
0:51 Optionally show or hide some segment say tal:condition then we put any truthy or falsey statement in Python
0:59 so not categories or categories that's in intervals so our list it's going to be true if it's not none and it's not empty. Otherwise, nothing.
1:09 So it's the perfect test for us here in Python. One thing you need to be aware of is this is generally a good thing is that when you say ${} expression
1:22 that tries to protect you from any form of injection attack. So imagine you're creating a comment section at the bottom of a book store.
1:31 Somebody could go and say well my comment is angle bracket, script evil java scripty right? So in order to protect you from that
1:41 Chameleon will actually, HTML escape anything that it prints out there. So if category had some kind of HTML in it
1:48 say it were bold or something, it shouldn't be but let's say it did if it had some kind of text in there that was HTML
1:56 it would appear as view source to the user if you did it this way. So, if you want to actually show the HTML you have to say structure: for raw HTML
2:07 and then it'll just drop it in there and the browser will interpret it as HTML. Be extremely careful here. Make sure whatever exp is
2:14 that does not come from user input that comes from you, maybe some kind of CMS or somewhere where it has trusted input and it won't be
2:22 some kind of injection attack. That's the basics of Chameleon.


Talk Python's Mastodon Michael Kennedy's Mastodon