[英]How can I prevent web2py from automagically encoding html-entities?
I'm trying to print out HTML generated for user-submitter markdown
, by 我正在尝试打印出为用户提交者markdown
生成的HTML
{{=markdown(post.message)}}
where markdown function is imported through 通过输入降价功能的地方
from gluon.contrib.markdown.markdown2 import markdown
We2Py seems to automatically encode HTML-Entities, so every <
is converted into <
We2Py似乎自动编码HTML-Entities,因此每个<
转换为<
and every >
is converted into >
并且每个>
都转换为>
. 。 How do I prevent this from happening? 我该如何防止这种情况发生?
Are there any security concerns that I'll need to keep in mind while doing so? 在这样做时我是否需要记住任何安全问题? Also, could anyone kindly tell me how can I strip the HTML
when storing it in the database, while retaining the markdown
? 此外,有人可以告诉我如何在将数据存储到数据库时删除HTML
,同时保留markdown
?
You have to do this: 你必须这样做:
{{=XML(markdown(post.message))}}
every string is sanitized by template render, if you pass "<div>"
it will be rendered as "<div>"
每个字符串都通过模板渲染进行清理,如果传递"<div>"
,它将呈现为"<div>"
it is to protect against malicious code. 它是为了防范恶意代码。
When you pass a string to XML
helper XML("<div>")
it uses an XML
parser to render the string in to an XML
tree structure, XML
has a method .xml()
which returns the unescaped string to the response.body
so the user's browser have the correct html. 当您将字符串传递给XML
帮助程序XML("<div>")
它使用XML
解析器将字符串呈现为XML
树结构, XML
具有方法.xml()
,该方法将非转义字符串返回给response.body
所以用户的浏览器有正确的HTML。
you can control some parameters of XML
rendering. 您可以控制XML
呈现的一些参数。
:param text: the XML text
:param sanitize: sanitize text using the permitted tags and allowed attributes (default False)
:param permitted_tags: list of permitted tags (default: simple list of tags)
:param allowed_attributes: dictionary of allowed attributed
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.