-
Notifications
You must be signed in to change notification settings - Fork 338
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add safe templates documentation #892
Conversation
string.:: | ||
in an HTML page, they must be HTML escaped. In the earlier example, this is | ||
handled through the ``<%page>`` directive with the ``h`` filter. See the | ||
documentation on Safe Templates for more details. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@catong This isn't quite ready for review yet, but I'm not sure of the proper way to cross-link between documentation. This includes both the syntax and the english. I have done this a couple of times, so if you could let me know what I should do, that would be great. Thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@robrap If the link is to an "anchor" within the same guide, which I see it is, the syntax is as follows. :ref:
Safe Templates. If the link is to an anchor in another guide, it's the same with the addition of a prefix for the guide in which the anchor lives. For example, `:ref:`partnercoursestaff:Reporting Certificate Data
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Recommended wording is: "For more information, see :ref:
Safe Templates``."
The ref gets replaced by a link whose text is the heading text of the cross-ref target.
a85012a
to
46a4810
Compare
@@ -1,7 +1,7 @@ | |||
.. _Accessibility Guidelines for Developers: | |||
|
|||
############################# | |||
EdX Accessibility Guidelines | |||
edX Accessibility Guidelines |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@catong This was just to make this consistent with all the other sections.
7bb82fa
to
6cbf0f3
Compare
|
||
<%page expression_filter="h"/> | ||
... | ||
${get_course_date_summary(course, user) | n} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nedbat I'm not sure if we want to use | n
, | n, unicode
, or HTML()
for the case where we are expecting HTML. Using HTML()
would be like using | n, unicode
, but it might read better:
${HTML(get_course_date_summary(course, user))}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
HTML()
seems good to me.
${data | h} | ||
|
||
As we work toward this default, we'll add the following ``%page`` directive | ||
to each template once at the top, following any import statements. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Above the import statements would be better.
<%! from openedx.core.djangolib.markup import HTML, ugettext as _ %> | ||
In order to mix plain text and HTML using ``format()``, you must use the | ||
``HTML()`` and ``Text()`` functions. The function ``HTML()`` can be used to | ||
wrap any replacement string that has an actual HTML tag that should not be |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Active voice without options will be more direct: "Use the HTML() function when you have a replacement string that already contains HTML." or something.
need to properly escape. In some cases, this may reduce the likelihood of | ||
potential problems, but proper escaping is always necessary. | ||
|
||
#. Do not store escaped data. Again, since you do not know ahead of time all |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No bold on this one?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I forgot we rewrote this to allow for bold.
@catong Can you please add bold here. Thank you.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
Resolve remaining comments as you see fit, then 👍 |
entire platform, and we will be able to remove these lines. | ||
|
||
Soon we will also have a linter available that will help with the transition | ||
to Mako templates that are safe by default. Additionally, the tool will help |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not clear whether "the tool" here refers to the linter or some other tool.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same linter. Thanks.
@robrap @nedbat I made a light editing pass of the safe templates file. I had some questions/comments that might result in some restructuring. I will do another pass after any structural/content changes. I also still need to take an overall look at the headings and cross-references in both the i18n and safe templates files, potentially add unique labels so that sphinx mapping works properly. |
<%page expression_filter="h"/> | ||
... | ||
${data} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@catong It was easier for me to adjust and have you just grab my commit. I took out all discussion of the strategy here. That is handled elsewhere under strategy. Here we will just describe what we want people to do today.
00a8c4c
to
a713017
Compare
extremely careful when using ``| n, unicode``, and make sure the originating | ||
code is properly escaped. Note that the ``n`` filter turns off all default | ||
filters, including the default ``unicode`` filter, so it is added back | ||
explicitly. Here is an example. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@catong I'm done with my pass. As mentioned, I made some updates myself. I also added a couple of comments that I didn't update myself. I hope that wasn't confusing. |
|
||
For more details on translating strings and proper escaping, see :ref:`i18n`. | ||
|
||
There are some rare cases where we need to turn off default HTML-escaping using |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For instance?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@e0d The following sentences and example are supposed to provide examples.
Here is an alternative intro sentence that scopes this to a "specific expression":
In some rare cases we need to turn off default HTML-escaping using | n, unicode
for a specific expression.
@nedbat @robrap Please see the latest state of the safe templates section (http://draft-dev-guide-i18n-update.readthedocs.org/en/latest/safe_templates.html). Rob and I talked and we agreed that the strategy section could become an intro to the detailed "how to make Mako templates safe" section. For now I have placed that combined section AFTER the "Editing Templates" section that has subsections for various file types, and added a cross-reference from the Mako template topic within "Editing Templates" to the new combined "Making Mako Templates Safe by Default" topic. Let me know if you think this latest incarnation works. |
ensure that all expressions use HTML-escaping by default. For details, see | ||
:ref:`Set HTML Escaping Filter as Default`. | ||
|
||
The following topics describe various methods of making your Mako templates |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@catong Can we say: "The following sections describe a list of steps required for making.."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@robrap I have reworded as "The following topics describe the steps you need to take to make..." I don't want to use "sections" instead of "topics" because we generally refer to chapters as sections and the headings within a section as topics. OK?
@robrap I've made a couple of final commits, and you now have my 👍 , so I leave the rest to you! |
c2ede11
to
b9de2eb
Compare
Merging #892 |
Add safe templates doc; update i18n with best practices
DOC-2739
Description
Relates to TNL-4160
Date Needed
This will be used for a coding bug bash in mid-March.
Reviewers
PR submitter checks the boxes after each reviewer finishes and gives 👍.
FYI: @scottrish
Testing
Post-review