I'm passing down a variable to a django template that contains an html. For example <strong>example</strong>. I mark this string as mark_safe() before storing it in my variable.
When I load it into the template and load the page in my browser it shows the html as plain text, <strong>example</strong>.
If I look at it in the chrome console the only thing that is different is that the text is surround with parenthesis. So it would look like this, "<strong>example</strong>"
Like I said I've read through all the other stackoverflow posts and marked the variables using the {% autoescape off %} tags and I've tried 'safe' tag. These will remove the escaping, but the HTML still doesn't render. Below is the actual html unescaped. I'm wondering if it's the space in front of it?
<p>Modern Comics That Are Valuable But Often Overlooked and Should Be Sought Out In Dollar Bins and In Your Own Collection</p>
<p><strong><em>Its Like Having $-Ray Vision</em></strong></p>
Thanks for the help.
The escaped string first needs to be parsed to HTML. Then you can unescape that string and pass it down and it will be rendered correctly.
import html.parser
html_parser = html.parser.HTMLParser()
description = html_parser.unescape(category.description)
Related
I've been stuck on this for an embarrassingly long time. I have two inputs that aren't displaying correctly, a markdown widget and the list widget. They both appear as one long string. I thought I needed to add a markdown parser for the former at least so I'm using markdown-it in a manner similar to this:
https://github.com/11ty/eleventy/issues/236
It is adding paragraph breaks where they should be but they show up on the page as p tags. I thought this was because I already had the parsed text nested between p tags but if I delete those nothing shows up at all. When I look at the html file created by eleventy, the tags show up as "< ;p> ;" (without the spaces) which it seems the browser isn't reading correctly when trying to interpret the html. I'm using nunjucks for templating if that matters. My .eleventy.js file looks like this currently. What am I missing? Also the markdown filter seems to only want to take a string so I'm not sure where to even begin with the list.
By default, Nunjucks HTML-escapes all variables when outputting templates. This is what you want most of the time, unless you're trying to render HTML input.
You might want to try using the safe filter after your markdownify filter.
{{ markdownContent | markdownify | safe }}
I'm currently working on a blog using Django and SQLite for the back end. In my setup, I stored my articles in the database in this sort of form:
<p> <strong>The Time/Money Tradeoff</strong> </p> <p> As we flesh out High Life, Low Price, you will notice that sometimes we will suggest deals and solutions that may cost slightly more than their alternatives. We won’t always suggest the cheapest laptop...
On the page itself, I have this code for where I use the session data:
<p>{{request.session.article.0.blog_article}}</p>
I had assumed that the web broswer would be able to read the HTML tags. However, it prints on the page in that form, with the visible <p> tags and the like. I think this is because it's stored as a Unicode string in the database and is put onto the page between two quotation marks. If I paste the HTML code onto the page, the format looks like I wanted it to look, but I want it to be an automated process (tell Django which article ID I want, it plugs the elements of the page into the template and everything looks great).
How can I get the stored article in a form where the page can see the HTML tags?
By default django would autoescape all strings in the template, so when you render html code in the template, they just show up as the literal html code. But you could use safe filter to turn this off:
<p>{{request.session.article.0.blog_article|safe}}</p>
Instead of writing out {% include link_to.html i=5 text="hello world" %} all the time, I've written a custom tag that allows me to do {% link_to 5 hello world %}. It finds the page with data i equal to 5 and creates a link to it.
But it feels clunky to generate HTML strings from inside the tag code, and it is awkward to write complicated code logic inside the HTML include code. So is there a way to have the tag definition do the heavy lifting of finding the relevant page to link to, and have it pass on what it found to link_to.html to render? Sort of like the controller passing information on to the view in Rails.
javascript.accessObject(ObjectName, Location).reason(NumberOfColumns);
API.Go.javascript.Obj = new Runtime(4); // how many seconds we want the page to take when loading.
I just started working with freemarker templates. I want to make sure that they are HTML escaped to avoid XSS vulnerabilities.
I tried using this template and passed anchor tag as a variable
String dummyAnchorTagVariable = "<a href='https://example.com'>Visit mysite</a>"
and used it in freemarker template
<div> ${dummyAnchorTagVariable} </div>
Result of this was seeing whole text including tags on the webpage and not as a link. So I assume that freemarker is HTML escaped by default
But when I try to find the documentation related to it, I don't find it anywhere that says Freemarker is HTML escaped by default
http://freemarker.incubator.apache.org/docs/ref_directive_escape.html
and there is even a blog post (although old) that describes how make it escape by default) http://watchitlater.com/blog/2011/10/default-html-escape-using-freemarker/
So I'm kind of confused about the HTML escaping in Freemarker.
FreeMarker before 2.3.24 is not escaped by default, unless someone is using a custom TemplateLoader that puts the template inside <#escape x as x?html>...</#escape>. If that's what happening in your case, then <#noescape>${dummyAnchorTagVariable}</#noescape> will work, otherwise it will give an error because there's no active #escape to disable.
FreeMarker 2.3.24 can auto-escape without TemplateLoader tricks (as of this writing it's not yet out, but hopefully RC1 comes in days and final in February).
Classic problem. Want to see html rendered but I'm seeing text in the browser. Whether I tell handlebars js to decode it or not in template ( three curly braces vs two - {{{myHtmlData}}} vs {{myHtmlData}} ) doesn't get me there. Something about the JSON being returned via the model.fetch() has this html data wrapped up in such a way that it is resistant to the notion of displaying as HTML. It's always considered a string whether encoded or decoded so it always displays as text.
Is this just something backbone isn't meant to do?
The technologies involved here are:
backbone.marionette
handlebars.js
.NET Web API
Your data is being escaped automatically. It's a good thing, but since you're sure the data is a safe HTML. Use {{{}}} as in this other question Insert html in a handlebar template without escaping .