Coder Social home page Coder Social logo

Comments (6)

lipis avatar lipis commented on July 25, 2024

Yes I'm aware of that and the reason that I didn't want to escape or treat it with care is because, sometimes you want to add links or make something strong or have a header.. and as you mentioned from the admin console you can do a lot of bad things so you better be careful who is admin and who is not :)

from gae-init.

mdxs avatar mdxs commented on July 25, 2024

Understand and no problem there. However, I want to use HTML input elsewhere too; and there I will need to sanitize the user input; thinking of adding Bleach (possibly in combo with either CKEditor or TinyMCE).

Unless you tell me that we already have some "cleaner" build into gae-init ?

from gae-init.

lipis avatar lipis commented on July 25, 2024

Well by default Jinja2 is escaping the variables and unless you're explicitly saying that it's safe (at your own risk) it won't escape them..

Just remove the | safe filter there and you'll see...
https://github.com/gae-init/gae-init/blob/master/main/templates/bit/announcement.html#L4

You can read more about it here: http://jinja.pocoo.org/docs/templates/#html-escaping

from gae-init.

mdxs avatar mdxs commented on July 25, 2024

Sure, but I want to render the user input HTML ... thus I need to clean it on input.

BTW: I'm okay with this being "my" problem, in that gae-init will not dictate a particular approach to this issue.

from gae-init.

lipis avatar lipis commented on July 25, 2024

If you have the user input and it's actually HTML but you still want to be a bit safe then I guess you'll have to make some research on what exactly suits your needs.. if it's going to be client side or server side... if it's going to clean up some HTML tags or just escape them etc..

But if you're between CKEditor or TineMCE I would suggest you go with the CKEditor, because I played with TinyMCE in the past and it's pain... CK looks more robust and produces a friendlier HTML and cooler features..

from gae-init.

mdxs avatar mdxs commented on July 25, 2024

As said in closing #61 "Fixed XSS vulnerability in Admin Config": yes, it is important to avoid/fix XSS vulnerabilities in your final product; the PR #61 hints at one such approach (using https://github.com/jsocol/bleach and https://github.com/html5lib/html5lib-python) and will resolve the issue. However, gae-init does not need to mandate this particular solution.

from gae-init.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.