安装jinja2包
pip install jinja2
定义继承tornado.web.RequestHandler的子类BaseHandler。如果请求处理类继承这个类将会使用jinja模板引擎;如果请求处理类继承tornado.web.RequestHandler,则会使用Tornado框架的模板引擎。
1 import os 2 3 from jinja2 import Environment, FileSystemLoader, TemplateNotFound 4 from tornado.web import RequestHandler, Application 5 from tornado.httpserver import HTTPServer 6 from tornado.ioloop import IOLoop 7 8 9 class TemplateRendering(object): 10 """ 11 A simple class to hold methods for rendering templates. 12 """ 13 def render_html_file(self, template_name, **kwargs): 14 template_dirs = [] 15 if self.settings.get(‘template_path‘, ‘‘): 16 template_dirs.append(self.settings[‘template_path‘]) 17 env = Environment(loader=FileSystemLoader(template_dirs)) 18 try: 19 template = env.get_template(template_name) 20 except TemplateNotFound: 21 raise TemplateNotFound(template_name) 22 content = template.render(kwargs) 23 return content 24 25 26 class BaseHandler(RequestHandler, TemplateRendering): 27 28 def initialize(self): 29 pass 30 31 def get_current_user(self): 32 user = self.get_secure_cookie("user") 33 return user or None 34 35 def render_template(self, template_name, **kwargs): 36 kwargs.update({ 37 "settings": self.settings, 38 "STATIC_URL": self.settings.get("static_url_prefix", "/static/"), 39 "request": self.request, 40 "current_user": self.current_user, 41 "xsrf_token": self.xsrf_token, 42 "xsrf_form_html": self.xsrf_form_html 43 }) 44 content = self.render_html_file(template_name, **kwargs) 45 self.finish(content) 46 47 48 class NewHandler(BaseHandler): 49 50 def get(self, *args, **kwargs): 51 self.render_template("new.html", text="") 52 53 def post(self, *args, **kwargs): 54 text = self.get_argument("text", "") 55 print(text) 56 self.set_header("X-XSS-Protection", 0) 57 self.render_template("new.html", text=text) 58 59 60 class OldHandler(RequestHandler): 61 62 def get(self, *args, **kwargs): 63 self.render("old.html", text="") 64 65 def post(self, *args, **kwargs): 66 text = self.get_argument("text", "") 67 print(text) 68 self.set_header("X-XSS-Protection", 0) 69 self.render("old.html", text=text) 70 71 72 if __name__ == ‘__main__‘: 73 current_path = os.path.dirname(__file__) 74 app = Application([ 75 (r"/new", NewHandler), 76 (r"/old", OldHandler) 77 ], 78 cookie_secret="HelloWorld", 79 static_path=os.path.join(current_path, "static"), 80 template_path=os.path.join(current_path, "templates") 81 ) 82 http_server = HTTPServer(app) 83 http_server.bind(8080) 84 http_server.start() 85 IOLoop.current().start()
HTML代码如下
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>escape</title> </head> <body> <form method="post"> <textarea name="text" id="js" cols="30" rows="10"></textarea> <input type="submit" value="提交"> </form> {{ text|escape}} <!-- 开启转义 --> {{ text }} <!-- 关闭转义,js代码将会执行 --> </body> </html>
new.html
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>escape</title> </head> <body> <form method="post"> <textarea name="text" id="js" cols="30" rows="10"></textarea> <input type="submit" value="提交"> </form> {{ text }} <!-- Tornado模板自动开启转义 --> {% raw text %} <!-- 使用模板语法{% raw *text* %}, JS代码将执行 --> </body> </html>
old.html
注意:在Firefox浏览器中会直接弹出alert窗口,而在Chrome浏览器中,需要set_header("X-XSS-Protection", 0)
Tornado还有两种方法关闭自动转义:
- 在Application构造函数中传递autoescape=None参数;
- 在每页模板中修改自动转义行为,添加语句:{% autoescape None %}
原文地址:https://www.cnblogs.com/Oliver-yzx/p/10348773.html
时间: 2024-10-09 06:09:14