How do I display only bolds, italics, and all the o开发者_如何学Pythonther non-security issue HTML on the page?
Sanitizing HTML is a pretty hard problem to get right. Spammers and other nasty people come up with new ways to smuggle HTML through sanitation all the time. The safest option is to define a white list of harmless tags and rigorously filter out all other tags with a true HTML parser (not with regular expressions).
There are a couple of template tags and filters on djangosnippets.com, e.g. this or this one. When selecting a filter, pay attention that it uses a white list and an HTML parser like lxml.html (preferably lxml.html.clean) or BeautifulSoup.
Probably it makes more sense to configure TinyMCE that way the user can only enter elements you allow him. TinyMCE has a powerful set of rules for that. If you are using django-tinymce see this for setting TINYMCE_DEFAULT_CONFIG to your desired options.
To display all HTML (no-escaping) you can use safe filter
{{ var|safe }}
In your case, if you want to escape everything except certain tags, you can write you own filter that does that:
{{ var|mysafe }}
Read about it here: http://docs.djangoproject.com/en/dev/howto/custom-template-tags/
The algorithm of the filter could be:
- Escape everything
- Unescape only those tags that are
allowed (by using
.replaceor regilar expressions)
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论