Django form is rendered with invalid HTML syntax - html

I have a Django project where I use the integrated forms. But it sends my client wrong HTML syntax. This shouldn't be that big of a deal since browsers nowadays clean up such errors. But when the form gets send back to the server the form isn't able to validate because firefox sends back the cleaned version.
I have a form with an multiple select:
class ProjectForm(forms.Form):
# [...]
project_leaders = forms.ModelChoiceField(widget=forms.SelectMultiple, queryset=User.objects.all(), initial=0)
This form is integrated in the respective html file:
{{ project_form.as_p | linebreaks }}
This is the source code from it (via Firefox Page Source):
<p>[...] <select name="project_leaders" required id="id_project_leaders" multiple><br>
<option value="test">test</option></p>
<p></select></p>
Firefox cleans it up oc but it should be send and accepted by django.
Does anybody know how I can django to do that?

This shouldn't be that big of a deal since browsers nowadays clean up such errors.
The browser tries its best to distill some meaning out of erroneous markup, but the result is not always what the author expected. For getting exactly the wanted structure, said author should write correct HTML. This hasn’t changed since the 90s.
In this specific case, my suggestion is to get rid of the | linebreaks filter. It is meant for plain text with at the most simple formatting tags.
The filter adds a <br> after the opening <select> tag. This leads the browser to automatically close the <select> again, since <br>s are not valid inside <select>s. The <option> elements are then placed outside the <select>, having no effect anymore whatsoever. The closing and re-opening <p> tags are a symptom of the browser not fully knowing what to do with the final stray </select>.

Related

Why bootstrap form validation doesn't work on one webpage?

I have 3 web pages each page contains 1 bootstrap form. The forms are structured the same, but each has a different number of input fields and order in which they appear in the form.
The HTML page files, local JS files are all in the same folder(no sub-folders). The <head> on each page has the same assests.
The non-functional form has a text area and button that the other forms do not. I have tried commenting these out, but that didn't resolve the problem. I have tried removing the link to local CSS, that too made no difference in the issue.
When I check the html files with W3 validator I get one Error and 2 Warnings.
Error: Element legend not allowed as child of element form in this context.
Warning: The date input type is not supported in all browsers. Please be sure to test, and consider using a polyfill. Commenting out the legend makes no difference.
I do have a date field in both the working and non-working forms.
When I look at dev tools in Chrome I don't see any errors.
I have tested on both Chrome and FireFox, so I don't think it is a browser specific issue.
Note this is all done on local machine and all coded using notepadd++.
I know this would be a tremendous amount of code to post for review, but if required I will do so. I was hoping someone would have troubleshooting suggestion.
have created 2 jsbin. first link is page with non working form. Second link is page with working form. first link is https://jsbin.com/xuwuziy/edit?html,css,js,output . Second link is https://jsbin.com/luqatel/edit?html,css,js,output
In the first JSBin: $('#cruise1').bootstrapValidator(.... There's no element with id "cruise1" in the page. Instead your form's ID is "quoteForm". Therefore the validator does not bind to it because it can't find an element with the "cruise1" ID.
Since you're including the same validation JS on both pages, in order to get the same code to validate both forms, you have to use a selector that can match to both forms.
There are two possible, simple solutions.
1) Give both forms an id of "cruise1". However, this may not be very descriptive of your quote form.
2) Give both forms the same class, and use that as the selector to initialise the validator. e.g.:
The form tags:
<form class="form-horizontal validatableForm" id="quoteform">
and
<form class="form-horizontal validatableForm" id="cruise1">
And the validator intialisation:
$('.validatableForm').bootstrapValidator( //...etc
This will initialise the same validation on all forms which match the given selector (i.e. all forms with that class). In any one page, in your situation, you might only have one form loaded with that class, but it means it will work when the code is included in both pages, and if for any reason you had two forms with that class loaded in one page it would bind those as well.
One last note, since you mentioned you were new to this: I hope you are implementing the same validation rules in your server side code (the code which deals with the submitted form data). Client-side validation such as you've used is very nice for user experience, but it's not secure - any user, especially a malicious one, or an automated spam-bot, can easily manipulate or bypass the JavaScript validation (most simply, by just turning off JavaScript) and try to send invalid or problematic data to the server. You cannot trust anything which comes from the client-side and must re-validate everything in order to protect your application and database.

Ckeditor 4 is removing the <img> tag if the HTML is not correct. How to stop this behaviour

we are using CKEditor in our project. We recently upgraded the version from 3.X to 4.x. After the update, we are not able to see <img> tags in the old saved documents. When we click on the source, we see
<p> <p> in place of a <p><img ......><p>.
On further debugging, we found that many documents which had the <img> tag were also having a junk attribute in the <img> tag like <img /="/" src="/folder/11801321/112267100.neck.png" height="308" width="467">.
By junk, I mean this part of tag /="/". This was a bug introduced while we were processing the user's input. We reverted old CKEditor version to 3.X and the editor was internally taking care of the junk values. it was trimming it off. so the users never complained.
But now the CKEditor 4 is not handling the HTML in the same way. It is actually stripping the whole <img> tag.
We have two options to fix this issue.
1. Remove the junk characters in all the documents. This is huge data. Needs approval from the user to do it.
2. Change CKEditor 4 config settings to get the same behavior as the CKEditor 3.X.
We are in favor of point 2. I have been searching and trying couple of config settings but haven't been able to nail it.
Let me know if any one has faced the same issue and have resolved it.
If you really want you can set all the code inside the img tag as "protected" and this way the editor will not strip this code:
CKEDITOR.config.protectedSource.push(/<img \/="\/" .*?>/g)
Remember that your final html will not be valid.
Since that part of the code is "protected" you will not see these images in the editor.
Here is a working example for that:
https://jsfiddle.net/oLb4Lmdb/
However - I really think it will be best to replace the string <img \/="\/" with <img in the source once the ckeditor instance is ready:
CKEDITOR.instances.editor1.on('instanceReady', function() {
this.setData(this.getData().replace("<img /=\"/\"", "<img"))
})
This way you don't need to go over all the data in the "backround", and the replacement will be done "on the fly" for every document that you need to edit.
You can check this jsfiddle:
https://jsfiddle.net/k1ewc29p/

String to HTML conversion so that page can read HTML tags

I'm currently working on a blog using Django and SQLite for the back end. In my setup, I stored my articles in the database in this sort of form:
<p> <strong>The Time/Money Tradeoff</strong> </p> <p> As we flesh out High Life, Low Price, you will notice that sometimes we will suggest deals and solutions that may cost slightly more than their alternatives. We won’t always suggest the cheapest laptop...
On the page itself, I have this code for where I use the session data:
<p>{{request.session.article.0.blog_article}}</p>
I had assumed that the web broswer would be able to read the HTML tags. However, it prints on the page in that form, with the visible <p> tags and the like. I think this is because it's stored as a Unicode string in the database and is put onto the page between two quotation marks. If I paste the HTML code onto the page, the format looks like I wanted it to look, but I want it to be an automated process (tell Django which article ID I want, it plugs the elements of the page into the template and everything looks great).
How can I get the stored article in a form where the page can see the HTML tags?
By default django would autoescape all strings in the template, so when you render html code in the template, they just show up as the literal html code. But you could use safe filter to turn this off:
<p>{{request.session.article.0.blog_article|safe}}</p>

Magento Product Attribute Keeps Displaying HTML

I am adding a product attribute onto my product pages in Magento Enterprise V 1.14.1 and I can't get the HTML to display as it should on the frontend. I have WYSIWYG disabled with the 'Allow HTML Tags on Frontend' set to yes and have confirmed in my PHPAdmin databases that it is set to 1, but on my product page it is still displaying the raw HTML.
On the same page I have attributes which point to a static block with HTML and those display as they should, but this attribute which uses a text field doesn't seem to want to display correctly.
This is the code I am using to call my attribute in case that is where the issue is lying where 'static_block' is the name of my attribute I'm trying to call:
<?php echo $this->htmlEscape($_product->getData('static_block')); ?>
And what's weird is when I enable 'Visible on Product View Page on Front-end' and it appears in the 'Additional Information Tab' it displays as it should. So I'm guessing there might be something wrong with my script which is calling the attribute.
Thanks for the help!
It appears to be converting the html into Escaped HTML, which I do not think you want in this case. Try without htmlEscape() wrapping the static_block.
<?php echo $this->$_product->getData('static_block'); ?>
--- 11/10/2014 13:00 EST
It now appears you are calling an array for echo, rather than individual elements of an array.
--- 11/10/2014 13:15 EST
I stripped the HTML, used an HTML cleaner and, using Google Chrome's Edit HTML feature, I stripped out the quoted block and pasted the cleaned HTML and it worked perfectly, which pretty much confirms the Escaped HTML is to blame. It is reading <div> rather than <div> for instance.
echo $this->$_product->getData('static_block');
please use this code

CKeditor rich text editor displaying html tags in browser

I've just installed CKeditor rich text WYSIWYG editor on a site I'm building and it seems to be working ok except for the fact that it inserts text into my mysql database as encoded html rather than regular html and then when the browser outputs this text it converts the encoded data into regular html that then displays in the browser showing the html tags and none of the styling!?
eg I type:
"This is text"
into the editor and it then inserts
<p>This is text</p>
into the database. Then when the page is called the browser converts the above and outouts the following on the page:
<p>This is text</p>
obviously I just want "This is text" to display on the page.
Does anyone know why this is happening/how to solve it please?
Any suggestions would be most welcome.
Cheers
If you don't want CKEditor to create paragraphs for you, set config.autoParagraph to false. Additionally you may want to change enter key behaviour with config.enterMode set to CKEDITOR.ENTER_BR.
And regarding disappearing styles...
EDIT: OK, it seems I missed your point.
So your website is displaying HTML markup instead of HTML while rendering out what you typed?
Then the problem is your server side rather than CKEditor. You can verify in your console that CKEDITOR.instances.yourInstance.getData() yields the correct, unescaped HTML:
<p>This is text</p> // Right!
If it is so, and I strongly believe it is, CKEditor's just fine and this is your server app that is converting special chars into entities (i.e. like PHP htmlspecialchars) while saving to database. You didn't mention what kind of framework/language you use there, so I can just tell you that it is to secure user input to prevent cross-site scripting, breaking layouts etc. and all popular frameworks allow you to disable that feature for a particular field. Simply refer to documentation.
Modern templating languages tend to autoescape html input. For example, in DTL it would be displayed correctly in the template by simply using
{{ object.field_name|safe }}
This is a desired action, since user input is considered untrusted and may be considered malicious.
The browser is not parsing HTML, so on the page displaying (or in the php file) try using {! !} instead of {{ }}.
If you are using laravel, then you should use {!! $variable !!}.
For Laravel 7, 8, and 9 - foreaxample if there is a varable called- $student
and student varable holds "This is Text" in paragraph you must call the varable using singla culy brace front and back, inside two