Add safe templates documentation #892
Conversation
| string.:: | ||
| in an HTML page, they must be HTML escaped. In the earlier example, this is | ||
| handled through the ``<%page>`` directive with the ``h`` filter. See the | ||
| documentation on Safe Templates for more details. |
There was a problem hiding this comment.
@catong This isn't quite ready for review yet, but I'm not sure of the proper way to cross-link between documentation. This includes both the syntax and the english. I have done this a couple of times, so if you could let me know what I should do, that would be great. Thanks!
There was a problem hiding this comment.
@robrap If the link is to an "anchor" within the same guide, which I see it is, the syntax is as follows. :ref:Safe Templates. If the link is to an anchor in another guide, it's the same with the addition of a prefix for the guide in which the anchor lives. For example, `:ref:`partnercoursestaff:Reporting Certificate Data.
There was a problem hiding this comment.
Recommended wording is: "For more information, see :ref:Safe Templates``."
The ref gets replaced by a link whose text is the heading text of the cross-ref target.
robrap
force-pushed
the
robrap/safe-templates
branch
2 times, most recently
from
a85012a
to
46a4810
Compare
| @@ -1,7 +1,7 @@ | |||
| .. _Accessibility Guidelines for Developers: | |||
|
|
|||
| ############################# | |||
| EdX Accessibility Guidelines | |||
| edX Accessibility Guidelines | |||
There was a problem hiding this comment.
@catong This was just to make this consistent with all the other sections.
robrap
force-pushed
the
robrap/safe-templates
branch
2 times, most recently
from
7bb82fa
to
6cbf0f3
Compare
|
|
||
| <%page expression_filter="h"/> | ||
| ... | ||
| ${get_course_date_summary(course, user) | n} |
There was a problem hiding this comment.
@nedbat I'm not sure if we want to use | n, | n, unicode, or HTML() for the case where we are expecting HTML. Using HTML() would be like using | n, unicode, but it might read better:
${HTML(get_course_date_summary(course, user))}
| ${data | h} | ||
|
|
||
| As we work toward this default, we'll add the following ``%page`` directive | ||
| to each template once at the top, following any import statements. |
There was a problem hiding this comment.
Above the import statements would be better.
| <%! from openedx.core.djangolib.markup import HTML, ugettext as _ %> | ||
| In order to mix plain text and HTML using ``format()``, you must use the | ||
| ``HTML()`` and ``Text()`` functions. The function ``HTML()`` can be used to | ||
| wrap any replacement string that has an actual HTML tag that should not be |
There was a problem hiding this comment.
Active voice without options will be more direct: "Use the HTML() function when you have a replacement string that already contains HTML." or something.
| need to properly escape. In some cases, this may reduce the likelihood of | ||
| potential problems, but proper escaping is always necessary. | ||
|
|
||
| #. Do not store escaped data. Again, since you do not know ahead of time all |
There was a problem hiding this comment.
I forgot we rewrote this to allow for bold.
@catong Can you please add bold here. Thank you.
|
Resolve remaining comments as you see fit, then 👍 |
| entire platform, and we will be able to remove these lines. | ||
|
|
||
| Soon we will also have a linter available that will help with the transition | ||
| to Mako templates that are safe by default. Additionally, the tool will help |
There was a problem hiding this comment.
Not clear whether "the tool" here refers to the linter or some other tool.
|
@robrap @nedbat I made a light editing pass of the safe templates file. I had some questions/comments that might result in some restructuring. I will do another pass after any structural/content changes. I also still need to take an overall look at the headings and cross-references in both the i18n and safe templates files, potentially add unique labels so that sphinx mapping works properly. |
| <%page expression_filter="h"/> | ||
| ... | ||
| ${data} | ||
|
|
There was a problem hiding this comment.
@catong It was easier for me to adjust and have you just grab my commit. I took out all discussion of the strategy here. That is handled elsewhere under strategy. Here we will just describe what we want people to do today.
catong
force-pushed
the
robrap/safe-templates
branch
from
00a8c4c
to
a713017
Compare
| extremely careful when using ``| n, unicode``, and make sure the originating | ||
| code is properly escaped. Note that the ``n`` filter turns off all default | ||
| filters, including the default ``unicode`` filter, so it is added back | ||
| explicitly. Here is an example. |
|
@catong I'm done with my pass. As mentioned, I made some updates myself. I also added a couple of comments that I didn't update myself. I hope that wasn't confusing. |
|
|
||
| For more details on translating strings and proper escaping, see :ref:`i18n`. | ||
|
|
||
| There are some rare cases where we need to turn off default HTML-escaping using |
There was a problem hiding this comment.
@e0d The following sentences and example are supposed to provide examples.
Here is an alternative intro sentence that scopes this to a "specific expression":
In some rare cases we need to turn off default HTML-escaping using | n, unicode for a specific expression.
|
@nedbat @robrap Please see the latest state of the safe templates section (http://draft-dev-guide-i18n-update.readthedocs.org/en/latest/safe_templates.html). Rob and I talked and we agreed that the strategy section could become an intro to the detailed "how to make Mako templates safe" section. For now I have placed that combined section AFTER the "Editing Templates" section that has subsections for various file types, and added a cross-reference from the Mako template topic within "Editing Templates" to the new combined "Making Mako Templates Safe by Default" topic. Let me know if you think this latest incarnation works. |
| ensure that all expressions use HTML-escaping by default. For details, see | ||
| :ref:`Set HTML Escaping Filter as Default`. | ||
|
|
||
| The following topics describe various methods of making your Mako templates |
There was a problem hiding this comment.
@catong Can we say: "The following sections describe a list of steps required for making.."
There was a problem hiding this comment.
@robrap I have reworded as "The following topics describe the steps you need to take to make..." I don't want to use "sections" instead of "topics" because we generally refer to chapters as sections and the headings within a section as topics. OK?
|
@robrap I've made a couple of final commits, and you now have my 👍 , so I leave the rest to you! |
catong
force-pushed
the
robrap/safe-templates
branch
from
c2ede11
to
b9de2eb
Compare
|
Merging #892 |
Add safe templates doc; update i18n with best practices
DOC-2739
Description
Relates to TNL-4160
Date Needed
This will be used for a coding bug bash in mid-March.
Reviewers
PR submitter checks the boxes after each reviewer finishes and gives 👍.
FYI: @scottrish
Testing
Post-review