安裝jinja2包html
pip install jinja2
定義繼承tornado.web.RequestHandler的子類BaseHandler。若是請求處理類繼承這個類將會使用jinja模板引擎;若是請求處理類繼承tornado.web.RequestHandler,則會使用Tornado框架的模板引擎。web
1 import os 2 3 from jinja2 import Environment, FileSystemLoader, TemplateNotFound 4 from tornado.web import RequestHandler, Application 5 from tornado.httpserver import HTTPServer 6 from tornado.ioloop import IOLoop 7 8 9 class TemplateRendering(object): 10 """ 11 A simple class to hold methods for rendering templates. 12 """ 13 def render_html_file(self, template_name, **kwargs): 14 template_dirs = [] 15 if self.settings.get('template_path', ''): 16 template_dirs.append(self.settings['template_path']) 17 env = Environment(loader=FileSystemLoader(template_dirs)) 18 try: 19 template = env.get_template(template_name) 20 except TemplateNotFound: 21 raise TemplateNotFound(template_name) 22 content = template.render(kwargs) 23 return content 24 25 26 class BaseHandler(RequestHandler, TemplateRendering): 27 28 def initialize(self): 29 pass 30 31 def get_current_user(self): 32 user = self.get_secure_cookie("user") 33 return user or None 34 35 def render_template(self, template_name, **kwargs): 36 kwargs.update({ 37 "settings": self.settings, 38 "STATIC_URL": self.settings.get("static_url_prefix", "/static/"), 39 "request": self.request, 40 "current_user": self.current_user, 41 "xsrf_token": self.xsrf_token, 42 "xsrf_form_html": self.xsrf_form_html 43 }) 44 content = self.render_html_file(template_name, **kwargs) 45 self.finish(content) 46 47 48 class NewHandler(BaseHandler): 49 50 def get(self, *args, **kwargs): 51 self.render_template("new.html", text="") 52 53 def post(self, *args, **kwargs): 54 text = self.get_argument("text", "") 55 print(text) 56 self.set_header("X-XSS-Protection", 0) 57 self.render_template("new.html", text=text) 58 59 60 class OldHandler(RequestHandler): 61 62 def get(self, *args, **kwargs): 63 self.render("old.html", text="") 64 65 def post(self, *args, **kwargs): 66 text = self.get_argument("text", "") 67 print(text) 68 self.set_header("X-XSS-Protection", 0) 69 self.render("old.html", text=text) 70 71 72 if __name__ == '__main__': 73 current_path = os.path.dirname(__file__) 74 app = Application([ 75 (r"/new", NewHandler), 76 (r"/old", OldHandler) 77 ], 78 cookie_secret="HelloWorld", 79 static_path=os.path.join(current_path, "static"), 80 template_path=os.path.join(current_path, "templates") 81 ) 82 http_server = HTTPServer(app) 83 http_server.bind(8080) 84 http_server.start() 85 IOLoop.current().start()
HTML代碼以下瀏覽器
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>escape</title> </head> <body> <form method="post"> <textarea name="text" id="js" cols="30" rows="10"></textarea> <input type="submit" value="提交"> </form> {{ text|escape}} <!-- 開啓轉義 --> {{ text }} <!-- 關閉轉義,js代碼將會執行 --> </body> </html>
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>escape</title> </head> <body> <form method="post"> <textarea name="text" id="js" cols="30" rows="10"></textarea> <input type="submit" value="提交"> </form> {{ text }} <!-- Tornado模板自動開啓轉義 --> {% raw text %} <!-- 使用模板語法{% raw *text* %}, JS代碼將執行 --> </body> </html>
注意:在Firefox瀏覽器中會直接彈出alert窗口,而在Chrome瀏覽器中,須要set_header("X-XSS-Protection", 0)cookie
Tornado還有兩種方法關閉自動轉義:app