What's the easiest way in terms of coding effort, to change a text property of a Qt4 widget, e.g. QLabel.text, so all HTML tags are removed?
The HTML is simple, typically just one to three tags like or and their closing partners.
If you don't want to use a widget for that, you can use QTextDocument::toPlainText()
QTextDocument doc;
doc->setHtml(htmlText);
doc->toPlainText();
I've used this in the past, although the widget seems like overkill. QtextEdit, the rich text edit block. What makes this work is that the constructor assumes that the string has tags.
QTextEdit htmlText(HtmlText); // HtmlText is any QString with html tags.
QString plainText = htmlTextEdit.toPlainText();
It sounds like you are really just looking for a way to strip HTML tags from a string which is not something specific to Qt widgets (unless you want a solution that can take advantage of the rest of the Qt library). Anyway, there seems to be no shortage of hits when searching for "strip html from string". There seems to be 2 general approaches:
Use a regular expression (here there be dragons)
Use an html parser
You may find a regex that is good enough for your purposes but you will need a proper html parser to do it right.
This stackoverflow question has alot of discussion about the regex option (although the question is looking to strip all tags except links).
Since you are using Qt, this question has an answer with examples of using a parser from that library.
Why not peek under the hood in QTextEdit::toPlainText() source code, and see what is done there?
Related
I want to create an Help page for my wxWidgets application, which consists of only text of various fonts, sizes and colors. I tried achieving that with wxStaticText's and sizers but I was having trouble so I switched to a wxRichTextCtrl, which I like to use. The problem is, the text should of course be non-modifiable. I know of the existance of the wxRE_READONLY flag, but it doesn't hide the caret that appears when I click on the text.
Isn't there some kind of wxRichStaticTextCtrl that works exactly like a wxRichTextCtrl, but is readonly by default and doesn't have this problem? I tried looking online, but to no avail.
The best solution for "rich" static text is wxHtmlWindow: this allows you to just define your help contents in terms of simple HTML which is usually more than enough.
I am having a textbox in my MVC view, that allows user to input HTML tags, but only few tags (such as, B, I, U, and A).
For this, I have set ValidateInput attribute on my POST action to False, so it allows users to input HTML tags.
But now I want to restrict users to input other HTML tags such as (INPUT, SCRIPT, etc). I mean, anything except the ones which I want to allow.
I guess, one way is to use a regex, but I am unable to find a proper regex for this.
Any idea of how to achieve this? Any help on this much appreciated.
Thanks and Regards
That's dangerous, man. Your users could still insert undesired tags using some tricks, for example encoding data. Even if you try to think all the possible ways a user can employ to enter "dangerous" tags in your code, he'll find an additional one.
So you should try to look some kind of proven solution for your problem. Look for HTML sanitizer, for example Google ASP.NET MVC sanitize html input and you'll find several solutions. AntiXSS library could be a good solution: now it's called Microsoft Web protection Library. You can include it in your solution as a NuGet package:
Install-Package AntiXSS
I recommend you to read this article to get a deeper view of the problem and its solutions:
.NET HTML Sanitation for rich HTML Input
In this article you'll find that AniXSS and a less restrictive solution with full explanation of pros, cons, and how it all works. Don't miss the references in the comments.
What I am trying to create is a site for resources. Basically, you add resources such as books and videos via links. Now, with any resource site that caters to a variety of resources, you need to tag them in order to understand what kind of resource you are using.
For example, if you make notes on something like Chemistry or key points from a talk on lets say "Django", then these are text documents. Thus you would want them inside a TEXT TAG.
So, when you are making a form for this kind of thing, what form field would you use? For example, by knee-jerk approach is to simple make a text area field, and then separate the different tags via comma. Now, this can be prone to many problems, I'd just like to know what is the best approach to take to solving this problem? Basically, an easy way to validate the data input? Would forms.ChoiceField be the best approach to the problem or is there something else that is superior?
https://www.djangopackages.com/grids/g/tagging/ is your best bet, most specifically https://github.com/alex/django-taggit. If you want to run your own tagging system, take a look at the source code for some ideas.
EDIT: The easiest way to display this in a form would be to use a ModelMultipleChoiceField. This allows you to select multiple tags for a single resource, and handles server-side validation and conversion to the actual Tag instances. However, I think most people would agree this option looks hideous, and it is certainly not user-friendly if there is a large amount of possible tags.
If you're using jQUery, another option is to use Django_select2. This is what I have personally used in a similar situation, and it handles a large amount of possible tags very well. Django_select2 is a thin wrapper around jQuery's Select2 plugin, with a bit of added functionality (most notably the AutoView and AutoModelSelect2Field). This provides a hybrid between a text field and a select list, allowing you to search all tags and easily select multiple tags. See http://ivaynberg.github.io/select2/ for examples of what you can achieve.
What I would like to do is to make a WYSIWYG editor, not a big one, just the common utilities, so bold, italic, underline, size, font, in Qt.
My approach for now is to make it in a QTextEdit, when the user click the button i get the signal and using the cursor index i put html tag, but I don't know if it's a good idea.
Any Advice?
You can always use the webkit module and relay on the contentEditable feature.
Any Advice?
Study "Order form" and "Syntax Highlighter" examples. Also, read QTextCursor and QTextDocument documentation.
I think you refer to the internal format of a document. You just need a solution to keep the formating information, so the editor/viewer can interpret it. Of cause you can choose HTML or HTML-like tags for this. I'd recommend to check out BBCodes, which are widely used for that.
By the nature of WYSIWYG the internal format should be invisible to a user. I don't know about the capabilities of QTextEdit to achieve that. Perhaps there is a HTML/BBCode extension?
This link describes an exploit into my app using fckEditor:
http://knitinr.blogspot.com/2008/07/script-exploit-via-fckeditor.html
How do I make my app secure while still using fckEditor? Is it an fckEditor configuration? Is it some processing I'm supposed to do server-side after I grab the text from fckEditor?
It's a puzzle because fckEditor USES html tags for its formatting, so I can't just HTML encode when I display back the text.
Sanitize html server-side, no other choice. For PHP it would be HTML Purifier, for .NET I don't know. It's tricky to sanitize HTML - it's not sufficient to strip script tags, you also have to watch out for on* event handlers and even more, thanks to stupidities of IE for example.
Also with custom html and css it's easy to hijack look and layout of your site - using overlay (absolutely positioned) which covers all screen etc. Be prepared for that.
The bug is not actually FCKeditors fault. As long as you let users edit HTML that will be displayed on your web site they will always have to possibility to do harm unless you check the data before you output it.
Some people use HTMLencoding to do this, but that will destroy all the formatting done by FCKeditor, not what you want.
Maybe you can use the Microsoft Anti-Cross Site Scripting Library. Samples on MSDN
Is it some processing I'm supposed to do server-side after I grab the text from fckEditor?
Precisely. StackOverflow had some early issues related to this as well. The easiest way to solve it is to use an HTML library to parse user's input, and then escape any tags you don't want in the output. Do this as a post-processing step when printing to the page -- the data in the database should be the exact same as what the user typed in.
For example, if the user enters <b><script>evil here</script></b>, your code would translate it to <b><script>evil here</script></b> before rendering the page.
And do not use regular expressions for solving this, that's just an invitation for somebody clever to break it again.
FCKEditor can be configured to use only a few tags. You will need to encode everything except for those few tags.
Those tags are: <strong> <em> <u> <ol> <ul> <li> <p> <blockquote> <font> <span>.
The font tag only should have face and size attributes.
The span tag should only have a class attribute.
No other attributes should be allowed for these tags.
I understand the DONTS. I'm lacking a DO.
Is use of FCKEditor a requirement, or can you use a different editor/markup language? I advise using Markdown and WMD Editor, the same language used by StackOverflow. The Markdown library for .NET should have an option to escape all HTML tags -- be sure to turn it on.
XSS is a tricky thing. I suggest some reading:
Is HTML a Humane Markup Language?
Safe HTML and XSS
Anyway, my summary is when it comes down to it, you have to only allow in strictly accepted items; you can't reject known exploit vectors because or you'll always be behind the eternal struggle.
I think the issue raised by some is not that Fckeditor only encodes a few tags. This is a naive assumption that an evil user will use the Fckeditor to write his malice. The tools that allow manual changing of input are legion.
I treat all user data as tainted; and use Markdown to convert text to HTML. It sanitizes any HTML found in the text, which reduces malice.