TinyMCE Python Flask Script Tag Issue - flask

So I'm in the process of creating a flask application which utilises both CodeMirror and TinyMCE as a Rich Text Editor to render any HTML/CSS input.
The user's code is entered in CodeMirror, and using a Post Request, the input from CodeMirror is sent to the TinyMCE StringField. I've been able to implement this fine for standard HTML and CSS however I've been having some issues with script tags. The script tags in TinyMCE are being changed from
<script>
</script>
to
<script type='mce-no/type'>
</script>
This stops the javascript from being rendered in TinyMCE, and I was wondering if there was any solution for this issue in Flask?

You would only see that if you get the "raw" content from TinyMCE using its getContent({format: 'raw'}) API call. If you use the normal getContent() API call you won't see that odd type value.
TinyMCE won't execute JavaScript during an editing session.

Related

Does Django render JS on server side?

I know that Django has default config of SSR (server-side rendering) but all the articles I have gone through mention that the Django-forms are rendered on server side and then sent to the browser. No specific information on the use case when javascript is mixed in the template.
I want to know if I use jquery tables in my Django template. Does that still render on server side? If yes then how does it render Javascript/jquery on the server-side?
I'd be glad if someone corrects me if my question itself has invalid argument.
JavaScript is for browsers so it doesn't matter if you write it in your template or add a link to it. The only way to render JS on the server-side is to actually have an engine doing that for you which Django doesn't.
What Django's template engine does is it will render the template based on the tags and HTML you provided and sends a valid HTML to the user containing the js code or js files alongside CSS and then browser runs those js and CSS codes and renders the final webpage.

How to properly secure asp.net core 3.1 app from XSS attack and display HTML using #Html.Raw()

I have an Asp.Net Core 3.1 razor page app. I'm receiving HTML content from user and that will be displayed back in the browser. It's kind of blog like app where my end user will be given a WYSIWYG editor and then the HTML from user will be encoded and saved in database.
Now when the blog page is requested, I need to decode the HTML content back and display in browser. This make my site vulnerable to XSS attack.
Here is my HTML from user,
<p>blog 5</p><script>alert()</script>
I encode this and save in database,
<p>blog 5</p><script>alert()</script>
Now to render the same,
#Html.Raw(System.Net.WebUtility.HtmlDecode(Model.Blog.Content))
When the page gets rendered it shows javascript alert() box.
if I don`t decode then html string is displayed,
#Html.Raw(Model.Blog.Content)
as shown below,
<p>blog 5</p><script>alert()</script>
I'm confused. Am I doing something wrong here? Please assist and correct me. I need the html to be safe and also it has to display as html in browser than as html string output.
I would recommend using an HTML sanitizer library. One of the more popular ones for .NET is:
https://github.com/mganss/HtmlSanitizer
It is available on Nuget:
https://www.nuget.org/packages/HtmlSanitizer/
This will allow you to whitelist the tags that you want to allow. See the wiki for additional documentation and examples.

How to show preview of an html document within an ember app

How to show an html document within ember template without affecting the css styles of ember app ?
The html document has a style tag which conflicts with the css of ember application.
Got a workaround using YUI css reset.
href="http://yui.yahooapis.com/3.18.1/build/cssreset-context/cssreset-context-min.css">
<div class="yui3-cssreset"></div>

How to use django-ckeditor in frontend forms?

I'm working with Django. To integrate a Rich Text Editor with my site, I use the django-CKEditor from https://github.com/django-ckeditor/django-ckeditor
While it works quite fine in the Admin Panel, I'd like to use it in frontend forms to allow the users of my website to edit their own texts via CKEditor. But I can not figure it out...
Is it true that this django-ckeditor can only be used in Admin Panel? If it isn't true, how to make it available in the frontend? Or any recommendation for other Rich Text Editor which I can use at the frontend?
Thanks a lot!!!
I just include ckeditor in static/js and apply it to whichever fields I need.
I initially tried what you are trying, and this (more conventional) way was super easy.
http://ckeditor.com/download
This is an old question, but here is a new answer for people directed here by a search engine...
The js is already downloaded with the package, no need to add it to your statics again, just load the js by adding
{{ form.media }}
in your templates <form> </form> section and RichtTextFields will be rendered using RichTextWidget (with ckeditor js). Expecting form to be the template variable holding the form.
Reference: https://pypi.org/project/django-ckeditor/#outside-of-django-admin

How to begin creating a web application using a Python and xlrd/django script?

I'm not sure where to begin, as in do I start working towards PHP, Ruby or what, but here is what I'd like to do:
I have a Python script that takes a pre-formatted Excel document and using xlrd and Django, I output a nicely formatted HTML page, based on a template HTML page.
But currently on my team, I'm the only one that can use this Python script because our setups, and I'd like to simplify the process by creating a web app that has a couple drop down menus to specify which script to run, then let me upload the .xls file, at which point the HTML file is automatically generated and a download link is created or the HTML file is spit out somehow.
Does anyone have any guidance as to how I should even begin this project?
I would suggest having a good read of the django docs, and probably working through the tutorials.
Django's documentation is very good.
If you just want to hack at the code you've got then probably read the following to get a very basic overview of some core django functionality -
url dispatcher
views
models
forms
templating
With your app, the url dispatcher will pass the request to a view which will use a template to render your excel document.
You want a form to handle your user parameters and a single view to render and process the form and also render the excel template.