I was building a website with django and wagtail as cms, I was wondering if it's possible to execute javascript through wagtail's richtext field with wagtail's default richtext filter.
For example, add a onclick attribute to a link.
My goal is to prevent such thing from happening, for security reasons.
The |richtext template filter does not strip out any Javascript code (such as onclick attributes or <script> tags) from its input - it only performs light rewriting of Wagtail's internal HTML-like format, such as replacing <a linktype="page" id="123"> page references with real URLs.
However, Javascript code is blocked at the point of submission through the Draftail rich text editor. This is because data is prepared and submitted in a non-HTML format (namely Draft.JS ContentState JSON) and then converted to Wagtail's HTML-like format when saving to the database - in this process, there is an 'allowed list' of elements to be converted, and none of these have any provision for passing Javascript code. (If a way to bypass this mechanism were discovered, then this would be considered a security issue and handled through Wagtail's security process.)
This does mean that if your project inserts untrusted rich text data into the database in a way that doesn't go through the rich text editor (such as importing content from an external source), it's your responsibility to validate that data for any unwanted elements / attributes.
Related
I have an Asp.Net Core 3.1 razor page app. I'm receiving HTML content from user and that will be displayed back in the browser. It's kind of blog like app where my end user will be given a WYSIWYG editor and then the HTML from user will be encoded and saved in database.
Now when the blog page is requested, I need to decode the HTML content back and display in browser. This make my site vulnerable to XSS attack.
Here is my HTML from user,
<p>blog 5</p><script>alert()</script>
I encode this and save in database,
<p>blog 5</p><script>alert()</script>
Now to render the same,
#Html.Raw(System.Net.WebUtility.HtmlDecode(Model.Blog.Content))
When the page gets rendered it shows javascript alert() box.
if I don`t decode then html string is displayed,
#Html.Raw(Model.Blog.Content)
as shown below,
<p>blog 5</p><script>alert()</script>
I'm confused. Am I doing something wrong here? Please assist and correct me. I need the html to be safe and also it has to display as html in browser than as html string output.
I would recommend using an HTML sanitizer library. One of the more popular ones for .NET is:
https://github.com/mganss/HtmlSanitizer
It is available on Nuget:
https://www.nuget.org/packages/HtmlSanitizer/
This will allow you to whitelist the tags that you want to allow. See the wiki for additional documentation and examples.
Problem: I have an invoice that is not is not structured conveniently. It's in a form of a HTML webpage containing of few tables - two columns - key and pair values.
I want to enable user to select that file, import it into APEX page, scrape that file into collection and work on it e.g. checking if values match with ones that are currently in my database.
Next, if validation is successful, user may change some data on collection. After that that file is saved into a database table.
I've tried to look up some plugins to do so but nothing was close unfortunately. I'm new to that technology. Could you give me some ideas on how to do that the proper way. Scraping itself will be a problem so I need some kind of language to manipulate html code.
I use a single drupal8 installation to serve content for multiple website's FAQ section. So I have put some custom tags like "##website_name##" in the html in article content and title. I also have blocks and custom views which display links to other articles like: related articles or popular articles etc.
I want to replace the custom tags with the respective value of the website. Is there any hook present in drupal8 which will be executed on generation of final output html but before sending it to browser so that I can place my replacement login there ?
Is there a way to have a rich text editor in the Django admin panel, as a widget for a TextField, instead of TextArea, as the admin will essentially put in a text that would be HTML text
it would basically be an HTML formatted email that would be sent out each time a certain row is created in the database table, and admin would manually input this HTML content
Thanks
Although there are lots of rich text editors(django plugins) available for admin site(like its mentioned in #obayhan's answer), I love to use ckeditor, and its a JS based editor, so its not required to install any django apps. Here its written about how to use it on admin site.
Tons of wysiwyg editors. Listed in here >> https://www.djangopackages.com/grids/g/wysiwyg/
Plone has a beautiful search box with a "Google suggest" like functionality for its site. It even indexes uploaded documents like PDFs. Does anyone know of a module that can provide this kind of functionality in a Django site?
Plone implements it's LiveSearch feature by maintaining a separate metadata table of indexed attributes (fields such as last modified, creator, title are copied from the content objects into this table). Content objects then send ObjectAdded/ObjectModified/ObjectRemoved events, and an event subscriber listens for these events and is responsible for updating the metadata table (in Django events are named signals). Then there is a Browser View exposed at a fixed URL that searches the metadata and returns the appropriate LiveSearch HTML, and finally each HTML page is sent the appropriate JavaScript to handle the autocomplete AJAX functionality to query this view and slot the resulting HTML results into the DOM.
If you want your LiveSearch to query multiple Models/Content Types, you are likely going to need to send your own events and have a subscriber handle them appropriately. This isn't necessary for a smaller data sets or lower traffic sites, where the performance penalty for doing multiple queries for a single search isn't a concern (or you only want to search a single content type) and you can just do several queries from your View.
As for the JavaScript side, you can roll-your-own or use an existing JavaScript library. This is usually called autocomplete in the JS library. There is YUI autocomplete and Scriptaculous autocomplete for starters, and likely lots more JavaScript autocomplete implementations out there. Plone uses KSS for it's JavaScript library, the KSS livesearch plugin is a good place to start if looking for example code to pluck from.
http://pypi.python.org/pypi/kss.plugin.livesearch
And a tutorial on using KSS with Django:
http://kssproject.org/docs/tutorial/kss-in-django-with-kss-django-application
KSS is quite nice since it cleanly separates behaviour from content on the client side (without needing to write JavaScript), but Scriptaculous is conceptually a little simpler and has somewhat better documentation (http://github.com/madrobby/scriptaculous/wikis/ajax-autocompleter).