Making a wysiwyg in Qt - c++

What I would like to do is to make a WYSIWYG editor, not a big one, just the common utilities, so bold, italic, underline, size, font, in Qt.
My approach for now is to make it in a QTextEdit, when the user click the button i get the signal and using the cursor index i put html tag, but I don't know if it's a good idea.
Any Advice?

You can always use the webkit module and relay on the contentEditable feature.

Any Advice?
Study "Order form" and "Syntax Highlighter" examples. Also, read QTextCursor and QTextDocument documentation.

I think you refer to the internal format of a document. You just need a solution to keep the formating information, so the editor/viewer can interpret it. Of cause you can choose HTML or HTML-like tags for this. I'd recommend to check out BBCodes, which are widely used for that.
By the nature of WYSIWYG the internal format should be invisible to a user. I don't know about the capabilities of QTextEdit to achieve that. Perhaps there is a HTML/BBCode extension?

Related

QTextEdit: typing in HTML/richttext

I have a QTextEdit and want the user to be able to type rich text which will then automatically be (correctly) shown in the widget (so: formatted).
It works fine when setting the text programmatically (using setText()), but not when manually typed. See picture below.. "Input" is set using setText, the following line is manually typed. I would like this line to automatically be formatted a
What's the (easiest) way to do this? The only way I can think about it to manually catch key events and explicitly set the text as HTML.. But I'm sure there's a better way.
Manual typed html gets escaped, the < will become a < etc . .
You wouldn't be able to edit it if that would not be the case, for obvious reasons.
You could try adding a [render] button or something like that to render the entered text to html. Trying to render on keypress is very dangerous because it makes it terribly inconvenient and counter-intuitive to type something and then have it magically change the output. Also un-finished markup will probably throw a stick in your wheel.
Also pasting from a rich text source (for example a webpage) keeps the formatting.
As "the JinX" already said it will not be so intuitive if you try to capture every key event and then try to change the text to render in HTML.
Though you can use some special key sequences, say "shift+return key" to change the text of current line/entire textedit to to html formatted one.
This is just a suggestion.
In this case more than implementation it is also about what a user will expect.
Changing the text of 1 line/entire textedit from plain to HTML would be easy to achieve as well.

Using different fonts/attributes in QTextEdit

I have a problem with displaying a text to area with different attributes.
My project has a multi-threading build. I reach to GUI text area by using signal-slot mechanism. I put my texts to the text area like this;
addrMW->ui->printerArea->appendPlainText(command.Data);
I want to append my text to this area with different font, size, etc..
I'm using Qt Creator 2.7.2 / Qt 5.1. Could someone explain this to me with an example?
What you want is a rich text edit. Luckily QTextEdit is able to handle that. Check the acceptRichText property (which should be true by default).
Then the methods you're looking for are:
setCurrentCharFormat
setCurrentFont
setFontFamily
setFontPointSize
etc...
Then, instead of appendPlainText() you should use append() to add text to the QTextEdit. Also see this Q/A. As proposed in the accepted answer, you can also use html formatted text instead.

How to strip HTML from a text property of a Qt4 widget?

What's the easiest way in terms of coding effort, to change a text property of a Qt4 widget, e.g. QLabel.text, so all HTML tags are removed?
The HTML is simple, typically just one to three tags like or and their closing partners.
If you don't want to use a widget for that, you can use QTextDocument::toPlainText()
QTextDocument doc;
doc->setHtml(htmlText);
doc->toPlainText();
I've used this in the past, although the widget seems like overkill. QtextEdit, the rich text edit block. What makes this work is that the constructor assumes that the string has tags.
QTextEdit htmlText(HtmlText); // HtmlText is any QString with html tags.
QString plainText = htmlTextEdit.toPlainText();
It sounds like you are really just looking for a way to strip HTML tags from a string which is not something specific to Qt widgets (unless you want a solution that can take advantage of the rest of the Qt library). Anyway, there seems to be no shortage of hits when searching for "strip html from string". There seems to be 2 general approaches:
Use a regular expression (here there be dragons)
Use an html parser
You may find a regex that is good enough for your purposes but you will need a proper html parser to do it right.
This stackoverflow question has alot of discussion about the regex option (although the question is looking to strip all tags except links).
Since you are using Qt, this question has an answer with examples of using a parser from that library.
Why not peek under the hood in QTextEdit::toPlainText() source code, and see what is done there?

Displaying (rendering) HTML from a string in QT

I have html in a QString, what widget can I use to display it?
(QWebView is not necessary as I dont access Internet)
QWebViews setHtml():
The QWebView class provides a widget that is used to view and edit web documents.
In Qt QWebView is the widget that renders pages for you - if you don't need the networking features it provides, simply don't use them.
Depending on what HTML tags you are using, you might be able to get away with a QTextEdit. It has support for most of HTML, including tables and images. Take a look at the docs and see if it fits your particular needs.
If you need something more advanced, then you will have to use the widgets in QtWebKit.

How do use fckEditor safely, without risk of cross site scripting?

This link describes an exploit into my app using fckEditor:
http://knitinr.blogspot.com/2008/07/script-exploit-via-fckeditor.html
How do I make my app secure while still using fckEditor? Is it an fckEditor configuration? Is it some processing I'm supposed to do server-side after I grab the text from fckEditor?
It's a puzzle because fckEditor USES html tags for its formatting, so I can't just HTML encode when I display back the text.
Sanitize html server-side, no other choice. For PHP it would be HTML Purifier, for .NET I don't know. It's tricky to sanitize HTML - it's not sufficient to strip script tags, you also have to watch out for on* event handlers and even more, thanks to stupidities of IE for example.
Also with custom html and css it's easy to hijack look and layout of your site - using overlay (absolutely positioned) which covers all screen etc. Be prepared for that.
The bug is not actually FCKeditors fault. As long as you let users edit HTML that will be displayed on your web site they will always have to possibility to do harm unless you check the data before you output it.
Some people use HTMLencoding to do this, but that will destroy all the formatting done by FCKeditor, not what you want.
Maybe you can use the Microsoft Anti-Cross Site Scripting Library. Samples on MSDN
Is it some processing I'm supposed to do server-side after I grab the text from fckEditor?
Precisely. StackOverflow had some early issues related to this as well. The easiest way to solve it is to use an HTML library to parse user's input, and then escape any tags you don't want in the output. Do this as a post-processing step when printing to the page -- the data in the database should be the exact same as what the user typed in.
For example, if the user enters <b><script>evil here</script></b>, your code would translate it to <b><script>evil here</script></b> before rendering the page.
And do not use regular expressions for solving this, that's just an invitation for somebody clever to break it again.
FCKEditor can be configured to use only a few tags. You will need to encode everything except for those few tags.
Those tags are: <strong> <em> <u> <ol> <ul> <li> <p> <blockquote> <font> <span>.
The font tag only should have face and size attributes.
The span tag should only have a class attribute.
No other attributes should be allowed for these tags.
I understand the DONTS. I'm lacking a DO.
Is use of FCKEditor a requirement, or can you use a different editor/markup language? I advise using Markdown and WMD Editor, the same language used by StackOverflow. The Markdown library for .NET should have an option to escape all HTML tags -- be sure to turn it on.
XSS is a tricky thing. I suggest some reading:
Is HTML a Humane Markup Language?
Safe HTML and XSS
Anyway, my summary is when it comes down to it, you have to only allow in strictly accepted items; you can't reject known exploit vectors because or you'll always be behind the eternal struggle.
I think the issue raised by some is not that Fckeditor only encodes a few tags. This is a naive assumption that an evil user will use the Fckeditor to write his malice. The tools that allow manual changing of input are legion.
I treat all user data as tainted; and use Markdown to convert text to HTML. It sanitizes any HTML found in the text, which reduces malice.