http://stackoverflow.com/questions/11844218/xml-to-web2py-html-tag-conversion
The database is storing the original HTML. However, any text written to a web2py view is automatically escaped, so the HTML code displays literally rather than being rendered as HTML. To avoid that, as you have pointed out, you can simply wrap the HTML in the
XML() helper.
Be careful, though -- you should not do this with input entered by users. A malicious user could enter Javascript code, which could create a security vulnerability for other users viewing that content (this is why web2py automatically escapes everything in the first place). To be safer, you could also do
XML(..., sanitize=True).2
http://stackoverflow.com/questions/9679561/how-can-i-prevent-web2py-from-automagically-encoding-html-entities
I'm trying to print out HTML generated for user-submitter
markdown, by{{=markdown(post.message)}}
where markdown function is imported through
from gluon.contrib.markdown.markdown2 import markdown
We2Py seems to automatically encode HTML-Entities, so every
< is converted into < and every> is converted into >. How do I prevent this from happening?
Are there any security concerns that I'll need to keep in mind while doing so? Also, could anyone kindly tell me how can I strip the
HTML when storing it in the database, while retaining the markdown?Answer:
You have to do this:
{{=XML(markdown(post.message))}}
every string is sanitized by template render, if you pass
"<div>" it will be rendered as"<div>" it is to protect against malicious code.
No comments:
Post a Comment