I use the Google App Engine and I have faced with the next problem. I need to store in the Datastorage text like "<p>My text</p>". When I used the templates of Django 0,96 everything was in order. The text was shown with expected markup. But I was change the templates to templates of Django 1.2, and my markup has been changed to HTML entities. How to solve this problem?
P.S. I don't use the Django helper or any other third-party libraries.
If a filter mode is default mode for templates so using the "safe" or "autoescape on" looks like a hack. I'm trying to understand how Django's authors imagined themselves templates using. I do not think that journalists in addition to the materials publication also create templates for each of its articles. I.e. must be some means of allowing format text, tinyMCE, or Markdown for example. But when markup stored in DB then templates show it as html entities.
Of course, it is possible to use filters "safe" or "autoescape on". But I don'开发者_运维技巧t understand for what sanitize in templates when it will disable in most cases.
May be I haven't right? Where I'm wrong?
Use the safe
filter, or the autoescape off
template tag. Make sure you understand what XSS is first; user-input content should not be considered safe.
Re comments:
{{ body|safe }}
is a shorter equivalent to the autoescape block. I've no idea why that didn't work, unless T. Abilo is right and the datastore has it html-quoted already.
TinyMCE is hard to guard against XSS, since it sends you presentational html back. Markdown editors (like MarkItUp) are easier since you can render the markdown safely on the server side. As it is you need a filter that strips everything but a presentational html whitelist: {{ body|presentationalonly }}
. This one could do the job. Bleach is available for stricter whitelists.
I had a similar problem so maybe you could check the following:
- is the markup showing as
"<p><"
etc. in your datastore? - if so, you can add this in your template to the string
.replace("<", "<").replace(">", ">")
while still using autoescape or something similar - if it works you can also change it directly in your handler, like described here: http://wiki.python.org/moin/EscapingHtml
精彩评论