I have a client with a "Directions" page in their website and they wanted to add a Google map to the page, so they went to maps and put in their location and then used the "embed" link to get the html for the iframe. They then opened up the Flatpage for "Directions" page in the admin and went to html mode in TinyMCE and then pasted in the code, but as soon as they save the code is gone and there is no map, just the div tags that surrounded the iframe are left.
I have tried Googling and I have repeated the process myself but no success, does anyone know if you are just not allowed to insert iframe html into the body of a Flatpage in django?
Unless you've added some kind of additional validation/cleaning, flatpages would not remove anything from the content. Have you tried without TinyMCE?
update: The point isn't that you'd leave TinyMCE disabled; the point is to narrow down where the problem is, so you can actually fix it. And I'm almost certain the problem here is TinyMCE, not Django.
I would suspect that tiny-mce is garbling something up. I'd try to disable tinymce and see if you have the same problem. Also, make sure you're using the 'safe' filter on the text in the templates. Otherwise Django will escape all the HTML.
Related
I have an Asp.Net Core 3.1 razor page app. I'm receiving HTML content from user and that will be displayed back in the browser. It's kind of blog like app where my end user will be given a WYSIWYG editor and then the HTML from user will be encoded and saved in database.
Now when the blog page is requested, I need to decode the HTML content back and display in browser. This make my site vulnerable to XSS attack.
Here is my HTML from user,
<p>blog 5</p><script>alert()</script>
I encode this and save in database,
<p>blog 5</p><script>alert()</script>
Now to render the same,
#Html.Raw(System.Net.WebUtility.HtmlDecode(Model.Blog.Content))
When the page gets rendered it shows javascript alert() box.
if I don`t decode then html string is displayed,
#Html.Raw(Model.Blog.Content)
as shown below,
<p>blog 5</p><script>alert()</script>
I'm confused. Am I doing something wrong here? Please assist and correct me. I need the html to be safe and also it has to display as html in browser than as html string output.
I would recommend using an HTML sanitizer library. One of the more popular ones for .NET is:
https://github.com/mganss/HtmlSanitizer
It is available on Nuget:
https://www.nuget.org/packages/HtmlSanitizer/
This will allow you to whitelist the tags that you want to allow. See the wiki for additional documentation and examples.
This is related to a post I recently made regarding ember-fastboot and saving a webpage for offline viewing.
I am making a separate post because I believe this is more an ember-fastboot question and isn't specific to the website I am trying to save for offline viewing.
Basically, I am trying to find out how, on the local end, to completely override ember. That is, since I already have open in my browser the rendered page, what does one need to do in order to save the page such that when opened later locally as offline page, the page appears the same way it did when rendered in the first place?
It seems like I am in a paradox. I have a rendered page, with content such as a javascript media player. I save rendered page. I then open the locally saved, rendered page but then the ember javascript kicks in and alters the page, such that the javascript media player no longer loads, due to ember altering a div's class name to specify that the player is not booted! The thing is, once rendered, I don't need ember doing anything, as I am just interested in viewing a frozen copy of the rendered page with no interest in subsequent connections to the rendering server.
Anyway, hope someone can shed some light on this.
Thanks!
You could remove <script> tags from the index.html after saving it. That would prevent the app from starting, leaving the pre-rendered HTML intact.
You might need to split the JS bundle if you need a JS player to be running independently. Splitting the bundle is an advanced technique. If you need it, please ask a separate question.
So, I have a standard bootstrap one page site. I am using django as the backend. for each section of the site, I use the html id I give to it to navigate to it from the navbar.
the only problem is that I cannot figure out how to clean the pound sign from the url. I still want something like:
example.com/contact
navigate to the contact section automatically, however, right it looks like:
example.com/#contact
How do I go about changing this? Is it something I need to add to the django urls.py file?
How do I go about changing this? Is it something I need to add to the
django urls.py file?
No.
# in URL is a Fragment identifier.
From https://blog.httpwatch.com/2011/03/01/6-things-you-should-know-about-fragment-urls/
... fragment identifier is only used by the
browser – it doesn’t affect which resource is returned from the server.
As it's used by the browser you cannot do much about it unless you change your navigation implementation.
I have a django admin where the name for the login was changed and after logging in the page is cut off. I went in to modify the page but it appears there is no admin/index under templates. I have looked throughout the project and can not find it anywhere. Is there an easy way to locate the files needed to proceed with the project?
I'm currently using out-of-the-box django.contrib.auth to handle authentication in my Django app. This means that the user starts at a log in page and is redirected to the app on successful login. I would like to make my app single-page, including this login process, where a redirect doesn't happen, but maybe a "hot" template switch-out or some fancy client-side div magic (that still remains secure). My Google searching turned up pretty short, the closest solution dealing with putting a log in form on every page.
Any direction or ideas here would be much appreciated. I would obviously prefer to work within the existing confines of django.contrib.auth if possible, but I'm open to all solutions.
I'm not sure I understand your question completely. I think you want to have a single page. If so, put logic in your template that checks to see if the user is authenticated. If not, display a login form that POSTS to the appropriate django.contrib.auth view. You can supply an argument to this view to have it redirect back to your page. When you come back, the user will be authenticated, so you won't display the login form.
Have a look at Django-Easy-Pjax https://pypi.python.org/pypi/django-easy-pjax - it works like a charm and is well documented. Everything you like is being made with AJAX requests: links, forms using GET and forms using POST.
Essentially you only need to add a data-pjax="#id_of_the_container_where_the_result_goes" attribute in your a and form tags.
And the great thing about it: It updates the title and location bar of your browser.
One caveat: If you want to upload files in some form, this is not supported by Easy-Pjax, so you might want to use some workaround jQuery library for that.