How to disable autoescape in django feeds? - django

I use django feed framework to organize rss feeds for my website.
I need to put some hyperlinks to feed items, but al of them are
autoescaped ( "<" is replaced with "<" and so on).
Is it possible to keep tags in my feed (as I understand, I can't use
{% autoescape off %} tag in feed templates)?
Thanks.

Read up on Automatic HTML escaping in Django and try the following syntax. Where data is the variable which holds your link
{{ data|safe }}

As jitter mentioned you can use "safe" filter, but it's annoying if you want to disable autoescaping often. Django also supports {% autoescape off %} {% autoescape end %} blocks, everything inside is block won't be autoescaped.
EDITED: Sorry, I haven't read your question completely only title :). Why you can't use autoescape tag in feeds? There's no restriction about it.

Related

VSCode breaks Django template tags with newline

Problem:
{% extends 'base.html' %} {% block title %} Dashboard {% endblock %} {% block pagetitle %}
becomes
{% extends 'base.html' %} {% block title %} Dashboard {% endblock %} {% block
pagetitle %}
Note that the {% tag %} is being broken with a new line. This causes syntax errors with django templates.
I've tried most top django template extensions and this does not fix the issue.
I've also tried these settings:
"[html]": {
"editor.formatOnSave": false,
},
"html.format.wrapLineLength": 0,
"html.format.enable": false,
"prettier.disableLanguages": ["html"]
Desired Behavior:
Automatically format *.html files, while preserving django template tags, not breaking them up with newlines.
Sub-optimal (but acceptable) behavior: don't format *.html files at all.
I had the same issue and the only way I found that solved it is to disable the default HTML formatter. Unfortunately, I did not find a way to make it format Django template tags correctly. You can do the same if you go to VS Code Preferences > Settings > User > Extensions > HTML and uncheck 'Enable/disable default HTML formatter'.
I solved this by following this advice: https://stackoverflow.com/a/73892745/1257347
TLDR: install the djLint extension (and remember to do $ pip install djlint)
I got it to work by simply adding {{""}} between the {% tag %} that were being broken.
Example:
{% extends 'main/base.html' %} {% block title_block %}Homepage{% endblock%}
{{""}} {%block style_ref_block%}{%endblock%} {{""}} {% block body_block %}
This Didn't work for me.
The hack I found was to set the vscode language to jinja instead of the auto detected html
reference
I've also just experienced vs-code misbehaving on django template tags (i.e. deleting curly braces).
I don't like the idea of disabling HTML formatting just to support templates (i.e. vs-code Preferences/Settings/Extensions/HTML: disable (uncheck) "HTML>Format:Enable"). This is arguably a step backwards, but it does stop vs-code misbehaving.
Instead, I chose to install (vs-code Preferences/Extensions) the 'Django' extension, by Baptiste Darthenay. This was a better way to go, because it works, gracefully, preserves native vs-code HTML formatting, and includes a nice set of django snippits, which saves me keystrokes when embedding template code. Tada!
BTW, before finding Baptiste's awesome extension, I also tried keeping vs-code HTML formatting enabled, AND enabling 'HTML>Format:Templating', which promised to "Honor django and other templating language tags"; it did not.

Preventing XSS attack Django

Currently I am using a CKEditor text editor. It escape's html but I want to prevent it from server side.
What is the best way to prevent XSS When we are using Text Editor in Python/Django?
Automatically or explicitly escape your output in templates, e.g.
{% autoescape on %}
{{ body }}
{% endautoescape %}
or
{{ body|escape }}
If you want to only escape JavaScript the "right" way to do it would be to convert the HTML to DOM, walk the tree of nodes, and remove any script elements. A less elegant and imperfect solution would be to use a regular expression to replace any script tags.

Django: Allow user to submit valid HTML in form field

With Django, is it possible for users to submit HTML in a form field, save it, and then render the HTML in the template?
An example is a user adding a link within a textfield that should then be rendered as an a tag within the rest of the text.
The user would input something like :
this is a site called SO.
The SO link would be a link instead of rendering it as text.
Django escapes by default. You can mark a string as safe via a filter or tag to prevent the auto escaping behavior.
{{ my_text_with_html|safe }}
{% autoescape off %}
{{ my_test_with_html }}
{% endautoescape %}
If you accept user inputted html, you'll want to sanitize it so they can't write scripts and such.. for that, just search python html sanitizing and apply it before sending the data to the template.
Python HTML sanitizer / scrubber / filter
You can tell Django the HTML is safe by marking it with the appropriate filter:
{{ variable|safe }}
You can also use the autoescape tag to disable the autoescaping:
{% autoescape off %}
{{ variable }}
{% endautoescape %}
However, in case you are enabling this feature for other (unknown) users, I highly recommend using something else, since HTML can be quite a pain to properly sanitize from Javascript or other HTML-things you don't want (e.g., on*-arguments etc). Django actually ships with basic support for some markup languages you can provide to your users. I guess markdown is being the most popular.

Combining "with" and "url" Django Template Tags

Django has two template tags "with" and "url". It would be handy to be able to combine the two:
{% with view=really.long.path.to.some.view.somewhere %}
{% url view.foo %}
{% endwith %}
But if you try doing that, you find out that the "with" isn't getting applied inside the "url" tag (as you get an error about there not being a "view.foo").
So, my question is, am I just missing some flag/option/alternative format that would make the above work, or is truly impossible to simplify "url" tags using "with"?
It is possible in Django 1.3 if you're willing to use a future compatibility library.
See the section Forwards compatibility at https://docs.djangoproject.com/en/dev/ref/templates/builtins/#url (just above the discussion on widthratio) for an explanation and examples.

Is using the "escape" tag really mandatory as a good security pattern in Django?

In the security chapter of The Django Book, it says that I must always use the template tag {% escape %} in order to protect my site from cross-site scripting.
Is it really necessary to put the escape tag on every single template string? Is there a way to specify this at application level?
That version of the Django book was written well before 1.0 came out, and is significantly out of date. All template content has been autoescaped for quite some time now.
In django is been done automatically. To turn it off you have to use the autoescape tag. I'm not sure since when, but at least since 1.1 version.
{% autoescape off %}
safe stuff
{% endautoscape %}