Markdown in Django XSS safe

后端未结

关注

 2  1327

-上瘾入骨i 2021-01-15 02:30

I am using Markdown in an app to display a user biography. I want the user to be able to slightly format the biography, so I\'m letting them use the TinyMCE editor.

2条回答

执笔经年 (楼主)

2021-01-15 02:49
Markdown in safe mode would remove all html tags, which means your users cannot input HTML segments in the biography. In some cases, this is not preferable. I would recommend you use force_escape before markdown, so anything fed into markdown is safe.

For example, if your biography is I'm really a HTML fan!, using
```
{{ biography|markdown:"safe"}}
```
would produce HTML REMOVED.. Instead, if you use
```
{{ biography|force_escape|markdown }}
```
The output would be something like
```
<html>I'm really a HTML fan!</html>
```
0 讨论(0)

查看其它2个回答
发布评论:

提交评论
- 加载中...