I'm using Flask and Sqlite.
I take some string, which contains newlines, and store it in the db. At some later point I get it from the db and include it on some page, and the string shows up without newlines. What's with that?
For example if I have
{{ entry.content }}
in my template, and the entry that was stored had content "hello\nhello", it displays "hellohello" on the page.
However if I have
{{ entry.content.replace('\r\n','<br />') }}
or
{{ entry.content.replace('\r\n','
') }}
in my template, it will display "hellohello" or "hello
hello" on the page.
So my impression is that the newline characters just aren't being interpreted and displayed by the browser. What am I doing wrong?
Try {{ entry.content|safe }} so Flask/Jinja doesn't escape your HTML.
(Be careful, though, as any user entered content, including script tags, will be output as-is. If you really want to be cautious and only allow tags you might want to do write your own scrubber: Jinja2 escape all HTML but img, b, etc)
Related
Hello I am generating layout with an external link to Google search result with inserted variables (that look like #SOMEWORDSASTAGS) I am using Jekyll syntax and HTML together, see:
<p class="one">#<u><a href=”https://www.google.com/search?q=#{{ page.shortname }}”>{{ page.shortname }}</a></u> ({{ page.content | number_of_words }})</b></p>
I want Google to search anything with inserted hashtag #SOMEWORDSASTAGS created by #{{ page.shortname }}
As result I am getting the link that includes my_domain in the beginning and therefore don't work correctly.
https://my_domain/%E2%80%9Dhttps://www.google.com/search?q=#SOMEWORDSASTAGS
See sample page here click link on left bottom "GALINSKAYA"
In _includes/footer.html, you're quoting your url with inappropriate characters : ” (charcode 8221), but your are supposed to quote with simple quote ' (charcode 39) or double quote " (charcode 34).
”https://www.google.com/search?q=#{{ page.shortname }}” fail, but
"https://www.google.com/search?q=#{{ page.shortname }}" works.
I am using the jinja2 templating language to create dual language documents. To that end, I have created a macro called select_lang which takes two strings as an argument, the text in the primary language and in the secondary language, and returns it on the format
<text in primary language> / <i><text in secondary language></i>
Sometimes, as input, I want do use a jinja2 variable, and this is where I struggle. Given the following code:
<!DOCTYPE HTML>
{% set bilingual = primary_lang and secondary_lang %}
{% from 'templates/partials/macro_select_lang.j2.html' import select_lang with context %}
<html>
<body>
{{ select_lang('Testo in italiano','Text in English') }}<br>
{{name.upper()}}<br>
{{ select_lang('Ciao, {{name.upper()}}','Hello, {{name.upper()}}') }}
</body>
</html>
I get this output:
Testo in italiano / *Text in English*
JANE DOE
Ciao, {{name.upper()}} / Hello, {{name.upper()}}
but the desired outcome would be that {{name.upper()}} was evaluated before being passed on to the select_lang macro.
I have searched the jinja2 documentation, but I can't find any relevant topic.
Note: one might think that this is a silly macro which could be replaced with some simple html-code. This is true in this example, but in the real application it does a whole lot more, so replacing the macro does not solve the problem; I need to evaluate the expression before passing it on.
In a regular programming language, I would have written something like
{{ select_lang('Ciao, ' + {{name.upper()}},'Hello, ' + {{name.upper()}}) }}
but this does not work and I suppose jinja2 does not offer an operator for string concatenation.
It seems you have too many curly braces!
Try:
{{ select_lang('Ciao, ' + name.upper(),'Hello, ' + name.upper()) }}
As you are already inside a {{...}} statement...
I have an web page which has tooltip set as follows:
title="Tel: {%- recordFields.providerTel || 'N/A' %} Email: {%-recordFields.providerEmail || 'N/A' %}"
The line occupies 142 columns...
Is there a way to break up the title string in the source so that it can span multiple lines?
Something along these lines:
title="Tel: {%- recordFields.providerTel || 'N/A' %} \
Email: {%-recordFields.providerEmail || 'N/A' %}"
In a comment on the question I asked:
You only want it to span multiple lines in the source, right? The actual value shouldn't have newlines (e.g., when used)?
and you said:
Let's say that. In this particular case, I also want a newline in the output, but I'll remove it for clarity.
It's a really fundamental part of the question. :-)
If you do want the newlines, the answer is easy but (to my mind) unsatisfying: Just put them in, literally:
<div title="Tel: {%- recordFields.providerTel || 'N/A' %}
Email: {%-recordFields.providerEmail || 'N/A' %}">...</div>
Live example. Note that it's important not to have leading whitespace on the next line, because that whitespace is part of the attribute value. This is what makes it unsatisfying to me, because having that subsequent line start at column 0 in something that's otherwise indented seems unclean (and some tools will fight with you, trying to indent it).
If you don't want the newlines in the attribute's value, I'm not aware of a way to do it. According to the HTML specification, an attribute's value is "...Attribute values are a mixture of text and character references...", and if we follow that link for "text" it doesn't say anything about putting source-only linebreaks in the value.
Since you seem to be using some kind of templating engine, if it runs server-side then you could of course define a property on the values object to hold the title string:
title="{%- getTitleFor(recordFields) %}"
...but that moves the content out of your HTML source (where content generally belongs) into your server-side language source, so it's not a great alternative.
I am using the html purifier https://github.com/mewebstudio/Purifier to filter the text from an input like this:
$body = Input::get('body');
$purifiedtext = Purifier::clean($body);
Then the $purifiedtext variable is stored to the database so that it could be retrieved later in the view. This is working and filters the text but when I am retrieving it, the html markup is visible instead of producing the correct output.
This is how I am trying to retrieve the stored $purifiedtext with blade:
{{{ $upload->body }}}
For example if the input for body is 'some text' wrapped with h2 tags then the output should be: some text
Now is just returning the text like this: <h2>some text</h2>
How can I change that so it will know about the tags and format the content appropriately?
Should I use htmlentities to do that?
You are escaping your text in Blade:
{{{ $upload->body }}}
Removing the extra curly braces should make it work:
{{ $upload->body }}
remove the thirth bracket... don't escape html returned from mysql, that does not work
use {{ $upload->body }} instead
In the Django docs it says:
Django templates escape specific characters which are particularly
dangerous to HTML. While this protects users from most malicious
input, it is not entirely foolproof. For example, it will not protect
the following:
<style class={{ var }}>...</style>
If var is set to 'class1 onmouseover=javascript:func()', this can
result in unauthorized JavaScript execution, depending on how the
browser renders imperfect HTML.
How can I prevent this?
I'm not especially familiar with Django, but it looks to me like the error they intended to point out is that there are no quotes around the attribute value, meaning that the space in the example value causes the rest of the string (onmouseover=...) to be interpreted as a separate attribute. Instead, you should put quotes like so:
<style class="{{ var }}">...</style>
If I understand correctly, this would be safe since all the characters that could interfere with the quoting are escaped. You might want to verify that interpretation; for example, write <span title="{{ var }}">foo</span>, run the template with foo set to <>"'&, and then make sure that they're properly escaped in the HTML and that the title appears in the browser with the original characters.
One thing you can do is not allow variable classes. You can use something like
<style class={% if class_foo %}foo{% elif class_bar %}bar{% else %}baz{% endif %}>...</style>
There are also filters available to prevent xss elsewhere: https://docs.djangoproject.com/en/dev/ref/templates/builtins/#std:templatefilter-escape