I have a form with a jwysiwyg editor. Looking at it, it can use basic-formatting html tags using the formatting buttons like SO's. Upon submitting the form, I notice its saved into the database as-is, whereas if I enter stuff like <iframe> ... </iframe> into the editor I notice that it is html-encoded inside the table.
Now, when I need to output whatever the user has submitted, can I safely use {{ output|safe }} to display the formatted text?
Is this rea开发者_StackOverflow中文版sonably secure enough or how should I rectify?
Use the safe filter only if you html-escape the data first. Otherwise you should use escape. If you want your users to be able to input data with html tags you could try to sanitize the input to prevent users from using <iframe>, <script>, etc, but allow other tags to be white-listed, and then mark it as safe.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论