Skip to content

pyml

Jump to bottom
Eduard Budaca edited this page Apr 16, 2017 · 2 revisions

Pyml syntax

Pyml syntax is inspired by ASP.NET MVC Razor syntax.

  • Write expression to page: @expression, terminated by whitespace, or another @ character. (Both spaces and @ can still appear inside Python strings and '(' - ')' pairs.) Example:
    This code: 
     <p>This is HTML @"and this is Python" </p>
 <p>I am immune to @"<b>HTML Injection</b>" </p>
 <p>Hello @user@!</p>
 <p>Hello from @("{}, {}".format(city, country))@!</p>
    Produces this HTML (depending on the values of the Python variables): 
     <p>This is HTML and this is Python </p>
 <p>I am immune to &lt;b>HTML Injection&lt;/b> </p>
 <p>Hello markzuckerberg!</p>
 <p>Hello from Tokyo, Japan!</p>
    Note the following:
    • The space in Python strings did not terminate the expression, nor did spaces inside brackets.
    • The space delimiter after the Python expression in the first two paragraphs is kept.
    • The @ delimiter after the expression in the last two paragraphs is removed. This was used instead of a space because we do not want any spaces between the expression result and punctuation marks.
    • The @expression operator escapes characters relevant in HTML code so you're protected from injection. This is what you'll want to use most of the time.
    • In order to escape the whitespace between the format arguments, the entire expression was surrounded by brackets. This was not strictly necessary in this case, because the spaces in the "{}, {}" were escaped by " characters (' would work too), and the spaces in (city, country) were escaped by ( and ).
  • Write non HTML escaped expression to page: @!expression, following the same termination rules as simple @expression rules.
    WARNING: This is vulnerable to HTML injection, make absolutely sure that everything that this expression could return is sanitized!
    Example:
    This code: 
     <p @!'class="active"'@>Active paragraph text (??)</p>
 <p>@!user_input@</p>
    Can produce this HTML: 
     <p class="active">Active paragraph text (??)</p>
 <p><img src="https://i.imgur.com/kJscbmh.png"></p>
  • Execute Python code (nothing will appear in the page): @{python code}. Example: 
     @{
 	a = 2
 	b = 7
 }
 @{sum = a + b}
 <p>@sum@</p>
    Can produce this HTML: 
    

 <p>9</p>
    Note that everyting (including newlines) around the @{} block is kept. This is usually not an issue.
  • Iterate over HTML: @for entry in collection: html_code @/for. Example: 
     @for idx in range(3):
 	<p>Index is @idx@</p>
 @/for
    Produces this HTML: 
    
 	<p>Index is 0</p>

 	<p>Index is 1</p>

 	<p>Index is 2</p>
    Note that everything (including whitespace and newlines) around the blocks is kept. This is usually not an issue.
  • Conditional execution: @if condition: html_code /if (@if condition: html_code @else html_code @/if exists, but is untested). Example: 
     @if row_id == 0:
 	<p>First row:</p>
 @/if
    Can produce either 
    
 	<p>First row:</p>
    or empty HTML depending on the value of row_id. Again, note the whitespace around the blocks.
  • Import another file: @import expression, terminated following the same rules as @expression. Example: 
     @import ".view/inner/header.html"
    will import the contents of site_root/.view/inner/header.html into the page instead of the @import expression block. If the file is a Python source file, it will be executed.
  • Import the view of a controller: @import-ctrl controller_expression, terminated following the same rules as @expression. Example: 
     @import-ctrl ctrl.inner_ctrl
    will import the view of ctrl.inner_ctrl into the page instead of the @import-ctrl controller_expression block.
  • Write a literal @ character: @@. Example: 
     <p>mail me at username [@@] gmail [.] com</p>
    Produces this HTML: 
     <p>mail me at username [@] gmail [.] com</p>

Clone this wiki locally