Python/Flask:将 HTML 注入到页面
[英]Python/Flask: Inject HTML to page
问题描述
I have a page that gets input from the user and stores it in an object inside a dictionary in server side.
我有一个页面,它从用户那里获取输入并将其存储在服务器端字典内的 object 中。
class post:
def __init__(self, title, content, date, poster, desc):
self.title = title
self.content = content
self.date = date
self.poster = poster
self.desc = desc
posts = {}
...
if request.method == "POST":
# NOTE: title and description is input, and content is textarea.
# I only want to input html in content textarea.
title = request.form["title"]
content = request.form["content"]
description = request.form["description"]
if title in posts:
flash("A post with that title already exists!")
return redirect(url_for("post_content"))
else:
posts[title] = post(title, content, date, session["user"], description)
flash("Posted successfully!")
return redirect(url_for("home"))
else:
return render_template("post.html")
...
I then send the data in posts to another page然后我将帖子中的数据发送到另一个页面
@app.route("/post/<title>")
def post_page(title):
data = posts[title]
return render_template("content.html", post=data)
This is the template for content.html这是内容的模板。html
{% extends "base.html "%}
{% block title %}{{post.title}}{% endblock %}
{% block content %}
<h1>{{post.title}}</h1>
<p>By {{post.poster}}, {{post.date}}</p>
<p><i>{{post.desc}}</i></p> <br>
<p>{{post.content}}</p>
{% endblock %}
However, when I try sending HTML, it just shows as it was inputed (<h1>Hello</h1> justs shows as it is instead of making it a heading).但是,当我尝试发送 HTML 时,它只是显示为输入(<h1>Hello</h1> 只是显示它而不是使其成为标题)。 Additionally, If I try inputting multiple lines, it just shows as one long line in the output.此外,如果我尝试输入多行,它只会在 output 中显示为一长行。
How do I display the inputted text as HTML?如何将输入的文本显示为 HTML?
1 个解决方案
解决方案1
0 2020-07-24 09:40:57
Your html is automatically escaped by jinja for security reasons.出于安全原因,您的 html 会被 jinja 自动转义。 It's not always a good idea to have {% autoescape %} set to false or {{ something |将 {% autoescape %} 设置为 false 或 {{ something | safe }} unless whatever you are escaping is something you created yourself or someone you trust, otherwise you could put yourself and users under the treat of attacks such as XSS.安全 }} 除非您是 escaping 是您自己创建的或您信任的人,否则您可能会将自己和用户置于 XSS 等攻击之下。 What you need is a WYSIWYG such as Quill, Summernote, ckeditor or anyone of your choice, and use something such as the bleach package to clean and sanitize whichever parts of the html you are getting.您需要的是所见即所得的工具,例如 Quill、Summernote、ckeditor 或您选择的任何产品,并使用漂白剂 package 等清洁和消毒 ZFC35FDC70D5FC69D23EZC 的任何部分。
I have created a Flask-Blog with a WYSIWYG editor, Quill, with the bleach package in the backend for sanitizing.我用所见即所得的编辑器 Quill 创建了一个 Flask-Blog,在后端使用漂白剂 package 进行消毒。 If you'd like to take a look on how they are implemented, refer to this Flask-Blog如果您想了解它们是如何实现的,请参阅此Flask-Blog
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.