I have a form with a jwysiwyg editor. Looking at it, it can use basic-formatting html tags using the formatting buttons like SO's. Upon submitting the form, I notice its saved into the database as-is, whereas if I enter stuff like <iframe> ... </iframe>
into the editor I notice that it is html-encoded inside the table.
Now, when I need to output whatever the user has submitted, can I safely use {{ output|safe }}
to display the formatted text?
Is this rea开发者_StackOverflow中文版sonably secure enough or how should I rectify?
Use the safe
filter only if you html-escape the data first. Otherwise you should use escape
. If you want your users to be able to input data with html tags you could try to sanitize the input to prevent users from using <iframe>
, <script>
, etc, but allow other tags to be white-listed, and then mark it as safe
.
精彩评论