I am using markdown on the comments system in my blog developed using django
I want to limit the possible format to accept just a basic one (with bold, italic, link and code)
How do I set Markdown to do this ?
if this is not possible using markdown so any alternatives ?
PS : i am using the default django app 'django.contrib.markup'
here is the actual code i am using on my template:
<div class="comment-content>
<p>
{% load markup %}
{{ comment.comment|markdown:"safe" }}
</p>
</div>
It would depend on which markdown plugin you're using there are many out there from a quick google search.
You'll have to either find documentation online for the specific one you are using, or perhaps look through the source and if it's open source modify it if you have to.
Or just find another one that allows that functionality.
edit:
Seems that django uses python-markdown(http://www.freewisdom.org/projects/python-markdown/), from a quick look it doesn't seem to support specifying only specific formatting options. However it seems to be easily extensible, so if you write an extension you can use it in django like this:
{{ string|markdown:"extension_name,extension2,etc..." }}
You could use Bleach and write a template tag to strip out the tags you don't want.
For example, to allow only bold and italic:
#register.filter
def limit_markdown(comment):
comment = bleach.clean(comment, tags=['b', 'i', 'em'], strip=True)
return comment
Then in your template, you could use it as:
{{ comment.comment|markdown|limit_markdown|safe }}
Related
I need to render some code in a web page, with highlight. I'm using Flask and found that I could use jinja2-highlight. It works great, but I have some problems.
What I tried :
{% highlight 'python' %}
{{ item.text }}
{% endhighlight %}
Seems to work, I have my 40 lines of code but all special char like " ... are displayed as this. So I add the |safe to the line {{ item.text }}. And now, all char are ok, but I don't see my full code, only 5 lines (the fifth line is complete).
I think I know what is the problem but don't know hw to solve it.
I have some line in my code like or and it seems that it's not escaped. Any idea why jinja2 does not escape <> ?
I'm not clear about security question with the |safe too. What does the server risks ?
item.text|safe should help. It appears that you're escaping the code twice. You may have some kind of auto-escape enabled.
You don't have to care about the server safety, as long as you don't share your actual code of your site.
Currently coding a bbs-style app, I'm wondering what are the best practices to display text that user entered safely. Which means I don't want them to type javascript or things like that. For now I'm rendering in a pre, and forbid the "<" and ">" chars. Though I guess it is not the right way to do it. Plus the lines are cut while it shouldn't.
Could you please give me some hints on how to that ?
More informations : I'm storing those posts in a sqlite db using flask-sqlalchemy. So I don't want them to contain SQL-Injection (which I highly doubt it is possible to do with sqlalchemy)
If you are using the Jinja2 templates as set up by Flask, all content is auto-escaped by default for HTML characters; see Jinja2 setup in the templating documentation:
Unless customized, Jinja2 is configured by Flask as follows:
autoescaping is enabled for all templates ending in .html, .htm, .xml as well as .xhtml
a template has the ability to opt in/out autoescaping with the {% autoescape %} tag.
SQLAlchemy, used properly, indeed protects you from SQL injection attacks.
If you want newlines in user input to be translated to <br/> tags in the HTML output, you can use this Flask Snippet that adds a Jinja2 tag filter that does just that; translate newlines in an input variable into <br/> tags in the rendered output, while still escaping everything else. Multiple newlines are translated to <p> paragraph tags.
Add that snippet as a module to your project, make sure it is imported, then use the nl2br filter in your templates:
User text as paragraphs with line breaks:<br/>
{{ user_text | nl2br }}
Jinja's autoescape is turned on by default in Flask. Anything not explicitly marked safe will be escaped correctly.
http://flask.pocoo.org/docs/templating/#controlling-autoescaping
I use Bleach - http://bleach.readthedocs.org/ to strip HTML and only let through the tags I want to allow. It's really easy to use.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
I am trying to self-learn developing Web applications using Python as backend. Since I am from C++ background I find difficulty in building web pages (design / implementation) and backend code associated to it – creation of CSS, HTML code, including Images, tables etc. I read about http://webpy.org/ framework but have not yet used it. In actual I am a bit confused how to develop a great UI page using Python – something like page having multiple tabs, color scheme, drop box, list, graphs and other UI component / widgets - and ofcouse backend code associated to it.
Can anyone please let me know what path we should take so that the same can be made easy? I read about JQuery and believe that in computing world there are a lot of tools like that available but which combinations stands the best and .. easy to work with.
You can't run python in the browser. So, for web development it's used exclusively on the server side. And really it's whole purpose is to enforce your business logic and generate the markup for your site. Then the client side technologies (HTML5+Browser, Javascript and CSS) take over.
On the server-side, Django is really popular right now. It is quite robust and has a very active community behind it. I would recommend that you look at the Django tutorial. For the client side, jQuery is very popular and has a HUGE community behind it. There are many, many tutorials out there - just google "jQuery tutorial".
If you are not very good with CSS (and it sounds like you might not be), then I would personally recommend one of the grid-based CSS frameworks. They make it a lot easier to get a professional looking site. And with the responsive frameworks, then you have the added benefit of being quasi-mobile enabled. There are a bunch of them. Including one of the originals Grid 960, but again there are many. Here's a pretty good blog post on 16 of them.
As for controls/widgets, there are several to choose from. jQueryUI is very good and popular. While not as popular, Dojo is still a good option to check out. ExtJS is good, but not free. And the list goes on... YUI, etc. You will probably just want to pick one with a good community behind it and learn it.
I think this contributes to the discussion as it helped me a bit in making Python great for the web.
Metalfan, I saw you asking on the chat:
Are there any libraries which makes Python work like PHP. I mean embed
into HTML something like
You're asking about a templating library to build html, css, javascript, sql or anything else. I've searched for a tool to do that, and found Cog, Cheetah and most of what else Google throws at you. I was inspired by what I was in Django, which gives the template processing access to objects and basically the whole language, instead of only doing macro-expansion.
Web2py has a module that does just that, and I've found it very easy to modify or use stand-alone. I can't remember if I've made any modifications to the original, so I've uploaded the version I'm using, so it should work out of the box.
To generate code from a template, you include the template module, and call the render function with a template (string) and a context (dict containing local environment). Like this:
from template import render
import urllib2
environment = dict(
elements=[1, 2, 3],
username="mortn",
session_id="xyz",
lam=lambda x=0: urllib2.urlopen("http://google.com").read(),
f=f,
)
print render(content=html_template, context=environment)
The template would then look like this:
<html>
<h1>Hello {{= username }}</h1><br/>
{{ if session_id=="xyz": }}
{{ # indentation doesn't matter.. }}
this isn't printed unless if-statement matches
{{ else: }}
instead this would be shown
{{ pass # each if/for/while statements (that would
{{ # "indent your code"), must end with pass }}
{{ for e in elements: }} - {{=e}}
{{ pass }}
{{ # demo of looping }}
{{ if 1: }}
{{ for i in xrange(10): }}<br/>{{ pass }}
{{ pass }}
{{ # imported function }}
100 chars of google html get:
{{ =lam()[:100] }}
{{ # you can access the whole language with this }}
{{ =f()}}
.... and it gives THIS output:
<html>
<h1>Hello mortn</h1><br/>
this isn't printed unless if-statement matches
- 1
- 2
- 3
<br/><br/><br/><br/><br/><br/><br/><br/><br/><br/>
100 chars of google html get:
<!doctype html><html itemscope="itemscope"itemtype="http://schema.org/WebPage"><head><meta itemprop
you can do whatever
It messes a bit with the white spacing as you'll see, I've shortened the output down as each {{ block generates a newline. It can be edited in the template.py module as it has VERY readable code that adheres to PEP8.
TL;DR:
Here's the link for the sample code in a single file:
http://pastie.org/4776120
and the template.py module: http://pastie.org/4775988
First, check [w3schools.com][1] out,
Read on about 1)HTML, 2) CSS, 3) JavaScript 4) PHP
If you really want to build web apps fast, i'd recommend you to choose php over python, because php especially designed to build dynamic web apps.
I am using Django and I am wondering how I can accomplish this. It works fine in python in Linux but the HTML Templating language keeps saying it cannot parse the array.
{% if myvalue in ["128","256","512","768","1024","1536","2048","3072","5120","10240"] %}
<p> Hello World
{% endif %}
It says it cannot parse the remainder and then it displays the list.
You can't create arbitrary lists in the Django templating system. You need to pass the created list via your view. See This question for a detailed discussion.
TAL, TALES and METAL are all three the zope templating language. The thing that I don't understand is why so much troubles. I don't understand the spirit of ZTL, any tips ?
one more question : is there a standalone library that try to achieve the same thing that ZTL but outside the Zope ecosystem ?
The core idea of tal/tales is to have proper valid (x)html. All the template functionality is in attributes or namespaced elements. HTML editors should work just fine with these templates. Let's give an example. First tal/tales:
<ul>
<li tal:repeat="customer customers">
<a href=""
tal:attributes="href customer.url"
tal:content="customer.name>
Sample customer name
</a>
</li>
</ul>
And in Django's template language, just as an example:
<ul>
{% for customer in customers %}
<li>
<a href="{{ customer.url }}">
{{ customer.name }}
</a>
</li>
{% endfor %}
</ul>
Which one's better? Open question. One plays nice with your html editor, the other makes the non-html statements clearer. Anyway, making it proper html is the main idea behind tal/tales!
Your last question: http://zpt.sourceforge.net/
Since the other question isn't that specific, I'm not sure there's a definitive answer to this, unless one of the original developers answers.
Zope Page Templates is the templating system making use of TAL/TALES/METAL, and the specific issue it tries to solve is the same as with many other templating systems: produce valid HTML. In the case of ZPT it is possible to create also any flavour of XML. At the time of its creation, it had some outstanding properties:
the templates itself could be used in designing tools like Dr*beep*mw*beep*ver or Fr*beeb*ntp*beep*ge without modification
the nested structure of XML/XHTML was ensured (invalid structured XML wouldn't work)
the templates themselves could be nested, mixed and matched
pure python implementation (rather clean code) and embedded python expressions
in the meantime the web has caught up and there are many alternatives available