In the django admin console how do you stop fieldset fields from escaping html? -


i have stacked inline display. model inline class has child in manytomany relationship. want display images cannot see how stop django escaping html. seems need function similar "display_as", how django gather available images , display them in "checkboxselectmultiple".

fyi: want add sorting images after them display.

models.py

class blogwidgetcarousel(models.model):     entry = models.textfield()     blog = models.foreignkey(blog, blank=true, null=true)     position = models.positivesmallintegerfield("position")     images = models.manytomanyfield("image")      class meta:         ordering = ('position', )      def __str__(self):         return str(self.position)      def save(self, *args, **kwargs):         self.entry = "<b><i>todo: create image slider</i></b>"         super(blogwidgetcarousel, self).save(*args, **kwargs)      def display(self):         return self.entry    class image(models.model):     title = models.charfield(max_length=60, blank=false, null=false)     image = models.imagefield(upload_to="images/")      def thumb(self):         return '<a href="{0}"><img src="{0}"></a>'.\                     format(media_url + str(self.image))      def __str__(self):         #return self.title         #return '<img src="{0}">'.format(media_url + str(self.image))         return mark_safe("<b>bold</b>") #added test escaping... bold tags still appear on page.     __str__.allow_tags = true #does not appear work

admin.py

class blogwidgetcarouselinline(admin.stackedinline):     formfield_overrides = {         models.manytomanyfield: {'widget': checkboxselectmultiple},     }     model = blogwidgetcarousel     = 0     #django knows images manytomany     fieldsets = (         ("create carousel:", {             'fields': (("position"), 'images',)         }),         ("result:", {             'fields': ('thumb', 'display_as',)         }),     )     readonly_fields = ('display_as', 'thumb',)      def display_as(self, instance):         return instance.display()     display_as.allow_tags = true      def thumb(self, instance):         x = ""         in instance.images.all():             x += i.thumb()         return x      thumb.allow_tags = true

enter image description here

update: found widget using has render function following line:

return format_html( '<label{}>{} {}</label>',  label_for, self.tag(attrs), self.choice_label)

this means value template uses escaped. altering fixes problem:

return format_html(         '<label{}>{} {}</label>', label_for, self.tag(attrs), mark_safe(self.choice_label)     )

now not sure if implementing in "incorrect" way or if normal need write custom widget , overwrite render function.

you can use format_html() it. django.utils.html module provides low level utilities escaping html.

this function preferred on string interpolation using % or str.format directly, because applies escaping arguments - template system applies escaping default.

you have used mark_safe() escape html below:

mark_safe(u"%s <b>%s</b> %s" % (some_html,                                 escape(some_text),                                 escape(some_other_text),                                 ))

but using below code, 

format_html(u"{0} <b>{1}</b> {2}", mark_safe(some_html), some_text, some_other_text)

you don’t need apply escape() each argument , risk bug , xss vulnerability if forget one.

you can use autoescape built-in template tag in template. tag takes either on or off argument , determines whether auto-escaping in effect inside block. block closed endautoescape ending tag.
when auto-escaping in effect, variable content has html escaping applied before placing result output (but after filters have been applied). equivalent manually applying escape filter each variable. 

{% autoescape on %}     {{ image_object }} {% endautoescape %}

this should solve problem.


Comments

Post a Comment

Popular posts from this blog

c# - Validate object ID from GET to POST -

i have method allows user access comment have made on site. have post method lets them update comment. my normal solution send entire comment model through, let them update it, update on database when post back. involve sending commentid through in hiddenfor , can manipulated. how can verify commentid sent in get method same i'm getting in post , not able alter comment wish? how can verify commentid sent in method same i'm getting in post? basically have validate following things in post - user logged-in user. authenticated users post comments. commentid in post , should valid commentid , should present in database. userid associated logged-in user should same userid associated comment . comment should contain userid column, can check @ time of update. to make sure update happens comment has been sent in get - hold commentid in session , in post action compare commentid value in session .
Read more

node.js - Custom Model Validator SailsJS -

when using custom model validator checks record within model. return within spread doesn't seem end control flow. //post.js model /** * custom validator **/ types: { isuservalid: function(user_id) { var promise = require('bluebird'); promise.all([ user.findone({id: user_id}) ]) .spread(function(user) { console.log(user); if (user === null || user === undefined) { console.log('failed'); return false; }else{ console.log('passed'); return true; } }); } }, my response standard validation failed response. { "error": "e_validation", "status": 400, "summary": "1 attribute invalid", "model": "post", "invalidattributes": { "owner": [ { "rule": "isuservalid", ...
Read more

php - Find a regex to take part of Email -

i have following emails need extract part from: bestellnummer xxx: 1 von xxx, 1er pack ------------- anfang der nachricht ------------- foo bar baz foo bar baz // <<<<< need text here ------------- ende der nachricht ------------- ------------- anfang der nachricht ------------- foo bar baz foo bar baz ------------- ende der nachricht ------------- there 0 unlimited occurences of ------------- anfang der nachricht ------------- ------------- ende der nachricht ------------- and i'm able extract first part regex: $re = "/------------- .*? -------------.?(.*?).?------------- .*? -------------/s"; but, i'm quite new on learning regex, i'm pretty sure there must better regex extract part (foo bar baz foo bar baz) of text between ------------- anfang der nachricht ------------- ------------- ende der nachricht ------------- as can in different languages, i'm using .? to match between hyphens. i...
Read more