stackoom
  简体   繁体   中英

Python/Flask: Inject HTML to page

 原文  2020-07-23 22:45:49       python/ html/ flask

Question

I have a page that gets input from the user and stores it in an object inside a dictionary in server side.

class post:
    def __init__(self, title, content, date, poster, desc):
        self.title = title
        self.content = content
        self.date = date
        self.poster = poster
        self.desc = desc

posts = {}

... 
    if request.method == "POST":
# NOTE: title and description is input, and content is textarea. 
# I only want to input html in content textarea.
                title = request.form["title"]
                content = request.form["content"]
                description = request.form["description"]
                if title in posts:
                    flash("A post with that title already exists!")
                    return redirect(url_for("post_content"))
                else:
                    posts[title] = post(title, content, date, session["user"], description)
                    flash("Posted successfully!")
                    return redirect(url_for("home"))
       
    else:
                return render_template("post.html")
...

I then send the data in posts to another page

@app.route("/post/<title>")
def post_page(title):
    data = posts[title]
    return render_template("content.html", post=data)

This is the template for content.html

{% extends "base.html "%}
{% block title %}{{post.title}}{% endblock %}
{% block content %}
    <h1>{{post.title}}</h1>
    <p>By {{post.poster}}, {{post.date}}</p>
    <p><i>{{post.desc}}</i></p> <br>
    <p>{{post.content}}</p>
{% endblock %}

However, when I try sending HTML, it just shows as it was inputed (<h1>Hello</h1> justs shows as it is instead of making it a heading). Additionally, If I try inputting multiple lines, it just shows as one long line in the output.

How do I display the inputted text as HTML?

1 answers

solution1
 0  2020-07-24 09:40:57

Your html is automatically escaped by jinja for security reasons. It's not always a good idea to have {% autoescape %} set to false or {{ something | safe }} unless whatever you are escaping is something you created yourself or someone you trust, otherwise you could put yourself and users under the treat of attacks such as XSS. What you need is a WYSIWYG such as Quill, Summernote, ckeditor or anyone of your choice, and use something such as the bleach package to clean and sanitize whichever parts of the html you are getting.

I have created a Flask-Blog with a WYSIWYG editor, Quill, with the bleach package in the backend for sanitizing. If you'd like to take a look on how they are implemented, refer to this Flask-Blog

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Print python console output on HTML page in Flask Running a Python code on HTML page using Flask Json Data is not showing in HTML page Python Flask Connect HTML page with Elasticsearch using Python flask Python Flask SQL query to HTML page table Update HTML page on submit button with flask and python Python/Flask/HTML - Render HTML in new window instead of home page Passing values from one html page to another via Flask (Python) Best way to serve file to html page once in flask (python) Python Flask returning a html page while simultaneously performing a function
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM