I made a custom plugin for Django CMS, and as is the default behavior, the preview icon of the text field showed the returned value of the model's __unicode__(self) as the icon in the WYSIWYG view of the editor:
(where "Email address" is the name of the custom plugin.) However, if the __unicode__(self) method of the plugin returns anything with characters such as ', &, or < >, they get escaped in the preview:
I'm pretty sure the preview uses the alt text property of the plugin instance. The closest thing to people having the same issue I can find is this report, as well as this suggested fix, but neither solution causes any change in the alt text behavior, as far as I can tell.
Basically, even though the plugin's output on the actual page isn't affected, I'd like to be able to display characters like ', &, <, and >in the editor preview. Is this possible?
Try to use mark output as safe using django helper method.
Example:
from django.utils.safestring import mark_safe
...
def __unicode__(self):
... do stuff ...
return mark_safe(output)
Related
I have a project where users can provide a text for searching. This text CAN be HTML, and because of it, we won't escape it, as in the source, it is not escaped.
We provide a whole bunch of functionality, including deleting not needed searches.
We support many languages (including Japanese, among others), and therefore we cannot decide upfront in which place in translation the search we want to delete will be placed. So we use Trans component. And here the problem starts.
React itself handles HTML strings quite well. It just displays source code link. But Trans interprets HTML (and displays link) or escapes HTML and displays <a href="example.com">link</a>.
I tried changing options (like escapeValue) or manually working with the string, which is passed as a value to translation. Nothing works as expected.
Is there any way to force Trans to behave as a react component and display HTML source code?
I found the solution:
in i18n.init set
interpolation: {
escapeValue: true
}
Then in your Trans component, use prop:
shouldUnescape={true}
Working codesandbox is here
I'm creating a PDF with a large collection of quotes that I've imported into python with docx2python, using html=True so that they have some tags. I've done some processing to them so they only really have the bold, italics, underline, or break tags. I've sorted them and am trying to write them onto a PDF using the fpdf library, specifically the pdf.write_html(quote) method. The trouble comes with several special characters I have, so I am hoping to encode the PDF to UTF-8. To write with .write_html(), I had to create a new class as shown in their readthedocs under the .write_html() method at the very bottom of the left hand side:
from fpdf import FPDF, HTMLMixin
class htmlFPDF(FPDF, HTMLMixin):
pass
pdf = htmlFPDF()
pdf.add_page()
#set the overall PDF to utf-8 to preserve special characters
pdf.set_doc_option('core_fonts_encoding', 'utf-8')
pdf.write_html(quote) #[![a section of quote giving trouble with quotations][2]][2]
The list of quotes that I have going into the pdf all appear with their special characters and the html tags (<u> or <i>) in the debugger, but after the .write_html() step they then show up in the pdf file with mojibake, even before being saved, as seen through debugger. An example being "dayâ€ÂTMs demands", when it should be "day's demands" (the apostrophe is curled clockwise in the quote, but this textbox doesn't support).
I've tried updating the font I use by
pdf.add_font('NotoSans', '', 'NotoSans-Regular.ttf', uni=True)
pdf.set_font('NotoSans', '', size=12)
added after the .add_page() method, but this doesn't change the current font (or fix mojibake) on the PDF unless I use the more common .write(text_height, quote) method, which renders the underline/italicize tags into the PDF as text. The .write() method does preserve the special characters. I'm not trying to change the font really, but make sure that what's written onto the PDF preserves the special characters instead of mojibake them.
I've also attempted some .encode/.decode action before going into the .write_html(), as well as attempted some methods from the ftfy library. And tried adding '' to the start of each quote to no effect.
If anyone has ideas for a way to iterate through each line on the PDF that'd be terrific, since then I could use ftfy to fix the mojibake. But ideally, it would be some other html tag at the start of each quote or a way to change the font/encoding of the .write_html() method, maybe in the class declaration?
Or if I'm at a dead-end and should just split each quote on '<', use if statements to detect underlines, italicize, etc., and use the .write() method after all.
Extract docx to html works really bad with docx2python. I do this few month ago. I recommend PyDocX. docx2python are good for docx file content extracting, not converting it into a html.
I'm in an odd situation where I need to check, via a test, that a currency symbol is being properly displayed on our web page.
We've been running into issues where sometimes the unicode alphanumeric value is showing up on the page instead of the actual currency symbol itself.
Is there a way to check for something like this? Like with some type of visual checking library, or through javascript?
The answer to this issue was to specifically copy and paste the unicode character I was looking to test against into my text editor.
So using the Protractor framework, I would find my css element, and if I have a known price of 17.99 that should be returning, my test function would return:
return expect(myPriceElement.getText()).to.eventually.equal(£17.99);
If on my webpage, £17.99 shows up, then my test will pass
I just started working with freemarker templates. I want to make sure that they are HTML escaped to avoid XSS vulnerabilities.
I tried using this template and passed anchor tag as a variable
String dummyAnchorTagVariable = "<a href='https://example.com'>Visit mysite</a>"
and used it in freemarker template
<div> ${dummyAnchorTagVariable} </div>
Result of this was seeing whole text including tags on the webpage and not as a link. So I assume that freemarker is HTML escaped by default
But when I try to find the documentation related to it, I don't find it anywhere that says Freemarker is HTML escaped by default
http://freemarker.incubator.apache.org/docs/ref_directive_escape.html
and there is even a blog post (although old) that describes how make it escape by default) http://watchitlater.com/blog/2011/10/default-html-escape-using-freemarker/
So I'm kind of confused about the HTML escaping in Freemarker.
FreeMarker before 2.3.24 is not escaped by default, unless someone is using a custom TemplateLoader that puts the template inside <#escape x as x?html>...</#escape>. If that's what happening in your case, then <#noescape>${dummyAnchorTagVariable}</#noescape> will work, otherwise it will give an error because there's no active #escape to disable.
FreeMarker 2.3.24 can auto-escape without TemplateLoader tricks (as of this writing it's not yet out, but hopefully RC1 comes in days and final in February).
I've just installed CKeditor rich text WYSIWYG editor on a site I'm building and it seems to be working ok except for the fact that it inserts text into my mysql database as encoded html rather than regular html and then when the browser outputs this text it converts the encoded data into regular html that then displays in the browser showing the html tags and none of the styling!?
eg I type:
"This is text"
into the editor and it then inserts
<p>This is text</p>
into the database. Then when the page is called the browser converts the above and outouts the following on the page:
<p>This is text</p>
obviously I just want "This is text" to display on the page.
Does anyone know why this is happening/how to solve it please?
Any suggestions would be most welcome.
Cheers
If you don't want CKEditor to create paragraphs for you, set config.autoParagraph to false. Additionally you may want to change enter key behaviour with config.enterMode set to CKEDITOR.ENTER_BR.
And regarding disappearing styles...
EDIT: OK, it seems I missed your point.
So your website is displaying HTML markup instead of HTML while rendering out what you typed?
Then the problem is your server side rather than CKEditor. You can verify in your console that CKEDITOR.instances.yourInstance.getData() yields the correct, unescaped HTML:
<p>This is text</p> // Right!
If it is so, and I strongly believe it is, CKEditor's just fine and this is your server app that is converting special chars into entities (i.e. like PHP htmlspecialchars) while saving to database. You didn't mention what kind of framework/language you use there, so I can just tell you that it is to secure user input to prevent cross-site scripting, breaking layouts etc. and all popular frameworks allow you to disable that feature for a particular field. Simply refer to documentation.
Modern templating languages tend to autoescape html input. For example, in DTL it would be displayed correctly in the template by simply using
{{ object.field_name|safe }}
This is a desired action, since user input is considered untrusted and may be considered malicious.
The browser is not parsing HTML, so on the page displaying (or in the php file) try using {! !} instead of {{ }}.
If you are using laravel, then you should use {!! $variable !!}.
For Laravel 7, 8, and 9 - foreaxample if there is a varable called- $student
and student varable holds "This is Text" in paragraph you must call the varable using singla culy brace front and back, inside two