I am looking to secure some wysiwyg input in a symfony2 application, I have been looking at some flat php plugins like htmlpurifier but just tweaking the twig standard functionality like variable|raw_secure with some own parameters would suffice, if there is a way to create a filter that inherits from the |raw but lets me specify a few tags that are allowed...
Anyone done that?
I need to protect myself from xss, javascripts etc.
“if there is a way to create a filter that inherits from the |raw but lets me specify a few tags that are allowed...”
Twig's filter raw does nothing with parameter passed to it.
You can use Twig's filter escape with specific strategy. If that solution doesn't fit – you can create your own Twig filter.
Related
I frequently use PhpStorm's Extract variable & method refactorings. Is there a way to add/extend functionality that could create a new template file from the selected code, prompt for desired template path, and create an include/require statement for that template?
I'm asking either for an entry point into coding this functionality, or extending existing functionality. Or maybe it's already available and I missed it.
As #Ástþór mentioned, there is no such way to change the refactoring templates.
You can use surround with live templates to emulate this behavior. This will not find duplicates and will not replace them as well, but may be it's close enough what you want.
Add a surround live template like this one. Open the editor with Ctrl+Alt+S:
Edit the variables in order to get a nicer UX:
Select the variable you want to extract and select Code > Surround with Live Templates from the menu or press Ctrl+Alt+J.
Adjust the templates to your needs.
Live template variables
HTH
No, there isn't. You can ask this question at https://intellij-support.jetbrains.com/hc/en-us/community/topics/200366979-IntelliJ-IDEA-Open-API-and-Plugin-Development
Other useful sources: https://www.jetbrains.org/intellij/sdk/docs/basics/getting_started.html & https://confluence.jetbrains.com/display/PhpStorm/Setting-up+environment+for+PhpStorm+plugin+development
"...If you need to use something similar to the url template tag in your code, Django provides the following function: reverse()...."
I looked at the docs for get_absolute_url() and reverse, as well as the example given:
a href="{{ object.get_absolute_url }}">{{ object.name }} /a>
What I am not seeing, or understanding, is how are we passing the kwargs (name, self, ID, whatever) to the model method so it knows which one of 100 instances to return the url for, particularly where I need to use it in text, outside the template system?
a href="name_of_object.get_absolute_url ">text name of object
Do I have to put the full name of the object in the href?
How would I use a variable like self or object or modelname instead?
Can I rewrite gau to take kwargs as well as self?
If I do that, can I put the () on the end of gau to take in the kwargs? We can’t do that in the template.
Can I use:
a href="self.get_absolute_url(**kwargs) ">text name of object ?
or
a href="object.get_absolute_url(self, **kwargs) ">text name of
object ?
And if so, do I need to add anything to the definition of gau on my model to make sure those kwargs are passed to return?
Or do I just treat it like a regular outside link, and thus have to hard code it?
Thanks.
--update--
#ChidG: Thanks for such a complete answer, and my apologies for taking so long to get back to you. I'd like to clarify my use case a little, and see if that changes your answer any. If I have ten articles using the same template, each article is still unique, and their links to different urls are not going to be in the same place on each article. So there is no way for me to put a single (or multiple) url tag in the template that will be useful to all ten articles. That's what I meant by using gau / the url tag outside the template. I want to do a simple search and replace that will turn the affected text into links. Otherwise, I'd have to do them one at a time by hand, which I assumed couldn't be the way this has to be done. What am I missing?
When Django's docs say 'outside of the template system', they mean in Python code, in a views.py or models.py (or whatever.py) file. The examples you have given all appear to be HTML (they feature a tags, so it looks like you are talking about HTML).
If it's HTML, then it's not outside the template system, so the Python functions you've mentioned won't work. You need to use the Django template tags.
Regarding this question:
What I am not seeing, or understanding, is how are we passing the kwargs (name, self, ID, whatever) to the model method so it knows which one of 100 instances to return the url for, particularly where I need to use it in text, outside the template system?
{{object.get_absolute_url}} (or object.get_absolute_url() in pure Python) does not require a kwarg, because the get_absolute_url method on the model already knows how to generate the correct URL with whatever kwargs are needed. If it doesn't already know how to do that (because of your specific URL configuration), you can write a custom get_absolute_url method which will enable that.
Whenever you return an HTML file from a Django view (unless you're doing something unconventional), you are using the template system. When you're using the template system, you reference Django context variables using {{ }} and custom tags using {% %}. So to insert a URL into a template, whether it's into an a tag or just into the text, you will use curly brackets and it will be {{ object.get_absolute_url }} or using the url tag itself, {% url 'whatever_url_name' kwarg=value %}
Do I have to put the full name of the object in the href?
You have to put whatever the context variable is that refers to the object in the template context.
How would I use a variable like self or object or modelname instead?
You can use whatever name you like for the context variable. If you're using Django's class based views it will be object by default for a single object view, but you can change it to whatever you like using the context_object_name attribute on the view.
Can I rewrite gau to take kwargs as well as self?
That is unnecessary. get_absolute_url returns a full URL, and all it needs is the model instance. The model instance must be able to find its own url using its own get_absolute_url method without any further kwargs.
Can I use:
The correct syntax is clearly demonstrated in the Django docs for get_absolute_url that you've linked to:
{{ object.name }}
I'd like to create form in specific way. The form should be able to render itself based on received data, should be used like that:
<form action="#" th:action="#{/blahblah}" th:formDefinition="${formDef}" th:object="${formData}"method="post">
This should render the necessary input elements in some way, fill in the data etc. Is there a way how to achieve this in Thymeleaf?
Nope there is no such way in pure thymeleaf which you can do this.
But you have an option to do something like this using fragments.
Create a th:fragment which takes the parameters formDef and formData
In the fragment, create a loop and geenrate the form as you want dynamically
Call the fragment using th:include with the real parameters in the places where you need the form to get generated.
Use Apache Freemaker to create templates in Netbeans IDE. Using this templates, auto-generate your forms from your Entities. This allows you to apply the principle of DRY.....Dont Repeat Yourself in your SDLC.
For more infor, watch the below clip on how they have applied the principle:
https://nofluffjuststuff.com/blog/reza_rahman/2015/01/vaadin_cdi_and_java_ee
what the best sample for two language phonegap app?
i want to set default language (index-en.html or index-fa.html) and theme by user in first used and save selected user settings. What is the best possible way to do this?
For client side internationalization I can recommend i18next.
You can just create two resourcefiles with JSON objects and use them for your static text. That way you don't have to maintain two html files, which I can imagine would be very frustrating.
Using i18next is pretty simple.
You just place a data-i18n attribute to the element like this:
<span class="my-class" data-i18n="my.key"></span>
And make it do its magic like this:
$(".my-class").i18n();
If you are using Handlebars as a template engine it is even better, you just need to:
{{t "my.key" }}.
You can of course use it programmatically like this:
var myKey = t("my.key");
If you have a large project with a lot of static content, you may want to maintain the translations in other format like Excel and then use some kind of tool to convert it to JSON.
I stumbled upon this code:
<a href="#" class="text1"{text2}>...</a>
What does the {text2} do? Later on, this HTML is replaced with:
<a href="#" class="text1" {text2} style>...</a>
Is there a way I can retrieve the text2 value with jQuery?
In some cases that code is input in, so scripts can actually easily identify a the line. Or in some cases can be an indicator for a database to retrieve and store data once it has been pulled.
Or it could be invalid markup, doubtful if the person knows what they are doing.
But without any other information or variables it is hard to say. But the most common is access for scripts within Php, Javascript, and even C#. Cause they can parse the HTML document and manipulate it. If those braces are used, and it is incorrectly it will cause a parse error.
Hopefully that sort of clarifies it.
Update:
Yes, jQuery can find it. It is a form of Javascript. You could implement something such as:
$(function() {
var foundString = $('*:contains("{text1}")');
});
There is a vast amount of data that addresses this for more detail.
It does nothing in HTML. It's actually invalid markup. Looks like maybe you have a template system that finds and replaces that before it gets rendered to the browser.
I know that in jinja2, a python templating system, brackets contain commands to the template engine, either as:
Hello, {{varName}}
or:
<ol>
{%for l in varList%}
<li>{{l}}</li>
{%endfor%}
</ol>
That's in jinja, but jinja has similar syntax to django templates, and many other template engines probably copy django's syntax also.
its used in angular js and are called expressions {{expression}}
AngularJS is a JavaScript framework. It can be added to an HTML page with a tag.
AngularJS extends HTML attributes with Directives, and binds data to HTML with Expressions.