Using valid HTML 4.01 Strict with Django - django

I've found a similar question here, but I'm looking for more general solutions.
As it is now, when Django generates anykind of HTML for you (this mainly happens when generating forms), it uses self-closing tags by default i.e. <br /> instead of <br>. <br /> is valid XHTML and I think HTML5 also, but it's not valid HTML4.
Is there any clean way to override this? Or is it better to write django sites in XHTML or HTML5 instead?

There was a whole series of discussions on this when development for 1.2 kicked off, with a range of solutions proposed, but no general way forward was agreed.
But see Simon Willison's Django-HTML project for one possible solution.

You can rewrite entirely the way django output HTML for you. E.G : for the form, you can :
choose between output using table, p or li by using the property "as_xxx".
print the form label by label, choosing the tag wrappers.
use widget to define how a form piece will print to HTML.
Of course you need the new forms to do so, and there for use Django 1.X.

Related

Django how to link to some part of a page

I want a link in my webpage header bar that points to a certain part of a page (for example, the lower half). It's easily done with pure HTML but I wonder how to do it in django.
HTML version:
In base.html:
Introduction
In entrance.html:
<a name="intro"></a>
How can I do the same thing in django? Any better solutions than just writing one more view function?
There is no difference in doing it with Django when compared to just normal HTML. Just continue doing it the HTML way.
There's also another way to tag html elements by id AND use the url template tag from django:
https://engineertodeveloper.com/a-better-way-to-route-back-to-a-section-ids-in-django/
(Credits for Brian, who wrote the solution at the link above)
this can be very useful if you, for some reason, need to use the url method for creating your links.

Is it a common practice to wrap all page content in a form inside a top-level template?

There is a top-level template in my project and it defines several sub-templates nested in a form:
<h:form>
<ui:insert name="header"/>
<ui:insert name="leftbar"/>
<ui:insert name="maincontent"/>
</h:form>
It's not my idea actually to build application in this way. I see both its advantages and disadvantages.
The biggest problem I've met is necessity of 2 forms on 1 page: first with default enctype and second for uploading files. The second biggest problem is validating unnecessary fields (but it can be relatively easily solved by disabling validation on those fields with jstl c:if).
I'm using JSF and Facelets currently but the described design is possible with any templating framework.
So, what I wanted to ask: how do you think is it worth to use this wrapper-form? Is is a common practice?
It certainly is not. You're now using one "super-form" for all actions in the page. This is not the common practice. Every related group of input elements should be placed in its own form. You don't want to validate/submit your contact form in the main content if you submit the search form in the header.

ColdFusion how to Prevent XSS Attacks in a WYSIWYG

I have a WYsIWYG editor in my coldfusion app and need to prevent XSS Attacks. Is there any Coldfusion ways to strip out all script type attacks?
http://blog.pengoworks.com/index.cfm/2008/1/3/Using-AntiSamy-to-protect-your-CFM-pages-from-XSS-hacks
http://code.google.com/p/owaspantisamy/downloads/list
The main question I would ask is what is this WYSIWYG for? Many WYSIWYG's allow you to define specific tags to have stripped out of the code.
For instance you can have TinyMCE strip out the script tags with
http://wiki.moxiecode.com/index.php/TinyMCE:Configuration/invalid_elements
This unfortunately does not solve your problem since all client side data form submissions are circumventable. If you must use a WYSIWYG ,then what you really need to make sure to do is to cover all your bases on the form's validation and display. You can strip out all script tags and make sure to remove any event attributes and javascript code in links href attributes.
If it is acceptable to only allow a specific subset of tags I would suggest either using BBML, BBCode, or Markdown.
http://www.depressedpress.com/Content/Development/ColdFusion/Extensions/DP_ParseBBML/Index.cfm
http://en.wikipedia.org/wiki/BBCode
http://sebduggan.com/projects/cfxmarkdown
You can use TinyMCE as a WYSIWYG for BBCode http://tinymce.moxiecode.com/examples/example_09.php and StackOverflow uses a great markdown editor http://github.com/cky/wmd
Here is some good info if you would like to render BBCode in Coldfusion
http://www.sitepoint.com/forums/showthread.php?t=248040
Something to consider is that while stripping the tags out in the browser with TinyMCE is a good idea, it makes a fatal assumption that the user is going to be submitting content via the browser. Anything that you do in the browser needs to be duplicated on the server because attackers can bypass any validation that happens in the browser.
With that said check this article: http://www.fusionauthority.com/techniques/3908-how-to-strip-tags-in-three-easy-lessons.htm which spells this out in more detail than I could here. Basically it discusses using regex and UDFs to strip tags out easily. The last example is particularly important... check it out.
To convert these tags <> or use HTMLEditformat function.

Are there any good tutorials for using sitemesh in a grails application?

I'm a pretty experienced Grails developer, but most of my experience has been with using grails for serving up JSON/XML to a flex app and some relatively simple HTML websites.
I've been diving deeper into using the sitemesh integration in grails and I'm struggling a little to find best practices for some more complex configurations, and I'm curious if there are any good tutorials or examples out there. The original Sitemesh website isn't that useful as the tags it talks about aren't directly exposed in grails.
A google search is mostly showing old mailing list posts and some vanilla sitemesh stuff which is helping me to move a little further along, but it's a lot of trial and error.
I fully understand how the basic g:layoutTitle, g:layoutHead, and g:layoutBody tags work. Those are easy and well documented.
The kinds of things that I'd like to see examples for:
g:applyLayout - the documentation on this is weak and I don't fully understand the uses suggested in the main docs. How is this different than setting the meta name='layout' content='foo' property?
g:pageProperty - some better examples on how to pull and use properties into the main template by setting the values as meta tags in the page that's being decorated. The grails docs on pageProperty show only the onload attribute from the body being brought forward. I think you can also use meta tag values here as well, anything else?
can you use multiple levels of sitemesh layouts? My testing seems to make me think that I can't, but that seems to reduce reusability. I think that the answer here is some usage of the g:applyLayout, but that's where I'm struggling the most.
the g:pageProperty is a very powerful, but very poorly documented thing. Lets say in my layout I specify where to put some content like this:
<html>
<body>
<g:pageProperty name="page.header" />
</body>
Now in my page I can specify some content:
<content tag="header">
<!-- header -->
</content>
Sitemesh will take the content tag, regardless of actual position in the HTML of the page and place it where it needs to go in the flow of the layout.
Even better, if within my page I render a template that also specifies a content area with a tag of "header", it will overwrite the first declaration, and it will be the template's content that will be rendered in the final layout.
Well, I can answer a bit:
Your first and third questions are related, as you can't chain layouts using the meta tag.
Your final page should have a meta tag as you suggest, but if you want to layer a layout on top of another layout, you put a g:applyLayout tag at the top of the child layout, pointing at the parent.
In your edit.gsp, you'd have:
<meta name="layout" content="editTemplate" />
and in editTemplate.gsp, you'd have:
<g:applyLayout name="baseTemplate" >
<!-- the html for the editTemplate -->
</g:applyLayout>
so edit.gsp would use editTemplate.gsp, which would use baseTemplate.gsp as a base layout. You can chain those as needed.
I haven't used g:pageProperty at all, so I can't throw you better examples there, sorry.
The Sitemesh together with Grails is a very very powerful feature. The more I use it - the more I love it. You can decorate any part of our web site: you can have layout for error messages, tooltips, news lines, comments, etc, etc. Just to note that you can do even that with in your pages and have multiple levels of decoration (no <content> needed):
/view/layout/inline-error-message.gsp
<span class="errorMessageInSomeFancyBox">
<span class="errorIcon"></span>
<g:layoutBody />
<span>
/views/book/create.gsp
<%-- let's decorate our error message with some fancy box --%>
<g:applyLayout name="inline-error-message">${some.error.message}</g:applyLayout>
See our Rabbtor Showcase App for a few very good examples on
creating nested layouts
rendering templates
applying layouts to specific parts of a page
. This app is actually a showcase for our tool Rabbtor which enables using GSP outside Grails but parts related with Sitmesh are also valid for Grails.

How do use fckEditor safely, without risk of cross site scripting?

This link describes an exploit into my app using fckEditor:
http://knitinr.blogspot.com/2008/07/script-exploit-via-fckeditor.html
How do I make my app secure while still using fckEditor? Is it an fckEditor configuration? Is it some processing I'm supposed to do server-side after I grab the text from fckEditor?
It's a puzzle because fckEditor USES html tags for its formatting, so I can't just HTML encode when I display back the text.
Sanitize html server-side, no other choice. For PHP it would be HTML Purifier, for .NET I don't know. It's tricky to sanitize HTML - it's not sufficient to strip script tags, you also have to watch out for on* event handlers and even more, thanks to stupidities of IE for example.
Also with custom html and css it's easy to hijack look and layout of your site - using overlay (absolutely positioned) which covers all screen etc. Be prepared for that.
The bug is not actually FCKeditors fault. As long as you let users edit HTML that will be displayed on your web site they will always have to possibility to do harm unless you check the data before you output it.
Some people use HTMLencoding to do this, but that will destroy all the formatting done by FCKeditor, not what you want.
Maybe you can use the Microsoft Anti-Cross Site Scripting Library. Samples on MSDN
Is it some processing I'm supposed to do server-side after I grab the text from fckEditor?
Precisely. StackOverflow had some early issues related to this as well. The easiest way to solve it is to use an HTML library to parse user's input, and then escape any tags you don't want in the output. Do this as a post-processing step when printing to the page -- the data in the database should be the exact same as what the user typed in.
For example, if the user enters <b><script>evil here</script></b>, your code would translate it to <b><script>evil here</script></b> before rendering the page.
And do not use regular expressions for solving this, that's just an invitation for somebody clever to break it again.
FCKEditor can be configured to use only a few tags. You will need to encode everything except for those few tags.
Those tags are: <strong> <em> <u> <ol> <ul> <li> <p> <blockquote> <font> <span>.
The font tag only should have face and size attributes.
The span tag should only have a class attribute.
No other attributes should be allowed for these tags.
I understand the DONTS. I'm lacking a DO.
Is use of FCKEditor a requirement, or can you use a different editor/markup language? I advise using Markdown and WMD Editor, the same language used by StackOverflow. The Markdown library for .NET should have an option to escape all HTML tags -- be sure to turn it on.
XSS is a tricky thing. I suggest some reading:
Is HTML a Humane Markup Language?
Safe HTML and XSS
Anyway, my summary is when it comes down to it, you have to only allow in strictly accepted items; you can't reject known exploit vectors because or you'll always be behind the eternal struggle.
I think the issue raised by some is not that Fckeditor only encodes a few tags. This is a naive assumption that an evil user will use the Fckeditor to write his malice. The tools that allow manual changing of input are legion.
I treat all user data as tainted; and use Markdown to convert text to HTML. It sanitizes any HTML found in the text, which reduces malice.