With Django, is it possible for users to submit HTML in a form field, save it, and then render the HTML in the template?
An example is a user adding a link within a textfield that should then be rendered as an a tag within the rest of the text.
The user would input something like :
this is a site called SO.
The SO link would be a link instead of rendering it as text.
Django escapes by default. You can mark a string as safe via a filter or tag to prevent the auto escaping behavior.
{{ my_text_with_html|safe }}
{% autoescape off %}
{{ my_test_with_html }}
{% endautoescape %}
If you accept user inputted html, you'll want to sanitize it so they can't write scripts and such.. for that, just search python html sanitizing and apply it before sending the data to the template.
Python HTML sanitizer / scrubber / filter
You can tell Django the HTML is safe by marking it with the appropriate filter:
{{ variable|safe }}
You can also use the autoescape tag to disable the autoescaping:
{% autoescape off %}
{{ variable }}
{% endautoescape %}
However, in case you are enabling this feature for other (unknown) users, I highly recommend using something else, since HTML can be quite a pain to properly sanitize from Javascript or other HTML-things you don't want (e.g., on*-arguments etc). Django actually ships with basic support for some markup languages you can provide to your users. I guess markdown is being the most popular.
Related
I'm using Django-variant CMS Wagtail and am trying to build my own templates for it.
I can upload images into the rich text field in Wagtail's CMS as shown:
In my template's html, I would like to be able to call specific images uploaded in the body so that I can style those specific images differently with js.
perhaps something like {{ body.image }}?
the html:
{% extends 'wagweb/base.html' %}
{% load rich_text static compress cache image_tags pageurl %}
{% block content %}
<div class="box">
<article class ="content">
{{ self.body | richtext }}
</article>
</div>
{% endblock %}
I'm lost at this point, as I can't figure out how to find the pre-existing tag dictionary (if there is any) or to create one without messing with the views.py? Or would it be more straight-forward to install markdown into the richtextfield and work from there?
I'm tons more comfortable with html and css, so one solution is to simply write everything in html and use {{ MEDIA_URL }} to call the specific images. But that seems like an unintelligent way to use Wagtail and Django.
Currently the rich text editor doesn't support embedded images with custom attributes (like CSS classes). It also doesn't provide a HTML source editor for the richtext field.
However, if you don't need to have the images inline with the rich text (but rather before or after the text, you could include them in your page model using InlinePanel pointing to table which uses a ParentalKey. Then, in your templates, you could loop through multiple images and apply the specialized CSS classes. The Wagtail demo project uses this method to create an image carousel. You can find some explanation on the more general tactic of using ParentalKey/InlinePanel here in the Editing API.
Currently I am using a CKEditor text editor. It escape's html but I want to prevent it from server side.
What is the best way to prevent XSS When we are using Text Editor in Python/Django?
Automatically or explicitly escape your output in templates, e.g.
{% autoescape on %}
{{ body }}
{% endautoescape %}
or
{{ body|escape }}
If you want to only escape JavaScript the "right" way to do it would be to convert the HTML to DOM, walk the tree of nodes, and remove any script elements. A less elegant and imperfect solution would be to use a regular expression to replace any script tags.
We are using the #login_required decorator so that users see a login page if they try to access a url for which they need to be authenticated.
We want to show a 'cancel' button on the login page, which should return the user to whichever page they were on when they tried to access the url (by clicking a link etc - we don't need to deal with them manually entering the url).
At the moment our login.html looks for a request parameter 'login_cancel_url' and if present uses that (otherwise the home page).
However, this means we have to manually pass this parameter (set to the url of the current page) whenever we show a link or button that leads to an 'authentication required' url.
Is there a more elegant way to do this?
Thanks, Martin
Well you can try get the referrer header from the request but as far as I am aware, it's browser dependent and is not very reliable so the way you are doing it is probably best. You could try make life easier by creating template tags to avoid having to rewrite the return URL manually.
You are easily able to get the current URL from django's request object on any page, so instead of setting it manually on the link, you could write a snippet of html:
link_to_login.html
<!-- You should probably get /login/ using the {% url ... %} template tag -->
<a href="/login/?login_cancel_url={{ request.path|urlencode }}">
Login Page</a>
and use the {% include "link_to_login.html"%} template tag.
Alternatively, If the text needs to be different depending on the link you can instead create an inclusion template tag:
templatetags/extra_auth_tags.py
#register.inclusion_tag('templates/extra_auth_tags/login_link.html')
def login_link(context, text=None):
return {
'text':text
}
templates/extra_auth_tags/login_link.html
<!-- You should probably get /login/ using the {% url ... %} template tag -->
<a href="/login/?login_cancel_url={{ request.path|urlencode }}">
{% if text %}
{{ text }}
{% else %}
Some Default Text
{% endif %}
</a>
and then call it in your templates as {% login_link text="Check you messages" %}. Be aware that keyword arguments for inclusion tags are only supported in the django dev version so you might need to write the template tag by hand.
I have a django template which loops over many notes/comments. As a simplified example take this.
{% for note in notes %}
<p>
Date added: {{ note.date_added }}
{{ note.note|urlize|url_target_blank|linebreaks }}
</p>
{% endfor %}
Then on the same page I have a form to add a new note. This note form is an ajax form and returns the newly submitted note back to the page and appends it at the end of the already existent note area.
I don't like this because I have to maintain the same html structure both in the page for the initial load, as well as in the response from the ajax form.
Is there a way to put a call to another template, inside of a template (in this for loop) so I can maintain the note formatting in one location only?
Thanks.
Perhaps you're looking for the "include" tag: http://docs.djangoproject.com/en/dev/ref/templates/builtins/#include
I use django feed framework to organize rss feeds for my website.
I need to put some hyperlinks to feed items, but al of them are
autoescaped ( "<" is replaced with "<" and so on).
Is it possible to keep tags in my feed (as I understand, I can't use
{% autoescape off %} tag in feed templates)?
Thanks.
Read up on Automatic HTML escaping in Django and try the following syntax. Where data is the variable which holds your link
{{ data|safe }}
As jitter mentioned you can use "safe" filter, but it's annoying if you want to disable autoescaping often. Django also supports {% autoescape off %} {% autoescape end %} blocks, everything inside is block won't be autoescaped.
EDITED: Sorry, I haven't read your question completely only title :). Why you can't use autoescape tag in feeds? There's no restriction about it.