Hi,
For security purposes, as_html() (and other HTML-returning methods) need to
return a string marked as safe for HTML. Plain text strings are considered
unsafe by default. For instance, in your case, if some_url was able to be
provided by a user in some form, it could contain code like:
><script>something_malicious();</script><
What you want to do is use Django's format_html(), which would change your
function body to be:
return format_html('<a href="{}">link</a>', some_url)
This will do two things:
1) It will check if some_url is marked safe (through another format_html()
call or Django's mark_safe()), and if not, escape it before putting it in
the string. If it is safe, it will insert it as-is.
2) It will mark the returned string as safe, allowing it to be rendered in
a template.
Christian
On Thu, Jan 25, 2018 at 5:30 AM, Meng-Zhe Zhang <[email protected]>
wrote:
> Hi all.
>
> I wrote an extension to add custom links on review pages by overwriting
> the as_html() method of BaseReviewRequestField object:
>
>
> class JenkinsLinkField(BaseReviewRequestField):
> field_id = 'jenkins_link'
> label = 'link'
>
> def as_html(self):
> # example code
> return "<a href=%s>link</a>" % some_url
>
>
> and this works fine on version 2.5.7.
>
> After upgrading to 3.0.1, it seems that the html content are now rendered
> as plain text, and the links no longer work.
>
> I compared the implementation of BaseReviewRequestField in different
> versions, but have no clue which part to look at.
>
>
> My questions are:
>
> 1. Which property of the BaseReviewRequestField object should I adjust so
> it can be rendered as html, not plain text?
>
> 2. Or, is there any other ways to add content-related links on review
> pages?
>
>
>
> Thanks for your answer.
>
> MZZ
> 2018/01/25
>
> --
> Supercharge your Review Board with Power Pack:
> https://www.reviewboard.org/powerpack/
> Want us to host Review Board for you? Check out RBCommons:
> https://rbcommons.com/
> Happy user? Let us know! https://www.reviewboard.org/users/
> ---
> You received this message because you are subscribed to the Google Groups
> "Review Board Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
--
Christian Hammond
President/CEO of Beanbag <https://www.beanbaginc.com/>
Makers of Review Board <https://www.reviewboard.org/>
--
Supercharge your Review Board with Power Pack:
https://www.reviewboard.org/powerpack/
Want us to host Review Board for you? Check out RBCommons:
https://rbcommons.com/
Happy user? Let us know! https://www.reviewboard.org/users/
---
You received this message because you are subscribed to the Google Groups
"Review Board Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
