Hi Paul
If you are worried about saving dodgy text in the DB, you could sanitize
it first using XML()
e.g.
XML('<script>dodgy();</script>**Hello**',sanitize=True).xml()
*<script></script>**Hello***
On Thursday, 25 April 2019 12:19:44 UTC+1, Paul Ellis wrote:
>
> I am using an editable span with some js to submit the input via ajax to
> the server. The span is only editable by admins.
>
> To give them some formatting options they can use MARKMIN in the span.
>
> The problem is it only seems to be one directional.
> How can I take the processed HTML and turn it back into MARKMIN in order
> to allow editing?
>
> or at least sanitize it that I can be sure no malicious code has been
> submitted so I can save the MARKMIN in the db.
>
> js that sends the span contents.
> $("document").ready(function() {
>
> // set the event listeners on the edit button
> $("button[name='buttonedit']").click(function() {
> var panel = $(this)[0].previousSibling
> panel.innerText = panel.getAttribute("data-raw")
> panel.setAttribute("contenteditable", "true")
> // console.log(panel)
> $(this).hide()
> $(this)[0].nextSibling.setAttribute("style", "display:true")
> })
> $("button[name='buttonsave']").click(function() {
> $(this).disabled = true
> var xhttp = new XMLHttpRequest();
> xhttp.open('POST', '/assist/update_info_panel', true);
> xhttp.setRequestHeader("Content-type",
> "application/x-www-form-urlencoded");
> var panel = $(this)[0].previousElementSibling.
> previousElementSibling
> var body = {
> 'pid': panel.id,
> 'body': panel.innerText,
> };
> // console.log(body);
> xhttp.onreadystatechange = function() {
> // debug code
> // if (this.readyState == 4) {
> // console.log(this);
> // };
> if (this.readyState == 4 && this.status == 200) {
> var rObj = JSON.parse(this.responseText);
> $("span#"+rObj.pid).replaceWith(rObj.body)
> $("span#"+rObj.pid)
> .next().attr("style", "display:true")
> .next().attr("style", "display:None")
> $("span#"+rObj.pid).find("a").attr("target", "_blank")
>
> }
> };
> xhttp.send(JSON.stringify(body));
> })
> })
>
> the controller function that receives the markmin (via json) and returns
> the HTML.
>
> In order to allow editing the raw markmin is stored in a data attribute. I
> feel this is very unsafe which is why I am asking for help.
> def update_info_panel():
> if auth.has_membership('assistant_admin', cached=True):
> raw_json = None
> for key in request.vars.keys():
> if len(key) > 10:
> raw_json = key
> inData = Storage(json.loads(raw_json))
> pid = inData.pid[5:]
> record = db.product[pid]
> assist_info = inData.body
> if record:
> record.update_record(assist_info=assist_info)
> body = {
> 'pid': inData.pid,
> 'body': SPAN(MARKMIN(assist_info),
> _id=inData.pid,
> _name='info_panel',
> _contenteditable='false',
> data = {'raw': assist_info}
> ).__str__()
> }
> return json.dumps(body)
> else:
> pass
>
> The section of the view which holds the span and edit buttons.
> <div id='info_box' class='well'>
> {{try:}}
> {{for item in extra_info:}}
> {{=DIV(
> SPAN(MARKMIN(item['info']),
> _id= 'info_{0}'.format(item['pid']),
> _name= 'info_panel',
> _contenteditable= 'false',
> _style="display:block",
> data= {
> 'raw':item['info'] if
> auth.has_membership('assistant_admin') else '',
> },
> ),
> BUTTON(SPAN(_class="glyphicon glyphicon-pencil"),
> _class='btn btn-sm btn-default',
> _name='buttonedit')\
> if auth.has_membership('assistant_admin')
> else '',
> BUTTON(SPAN(_class='glyphicon
> glyphicon-floppy-disk'),
> _class="btn btn-sm btn-primary",
> _name="buttonsave",
> _style="display:none")\
> if auth.has_membership('assistant_admin')
> else '',
> _id= 'box_{0}'.format(item['id']),
> _style='display:none',
> )}}
> {{pass}}
> {{except Exception as e:}}
> {{print e}}
> {{pass}}
> </div>
>
> The function looks and works great. Apart from the Italic formatting
> cutting the JSON string short, resulting in invalid JSON and me being very
> uneasy about saving raw user input into the db and then letting it back out
> again.
>
> As a side question. Is there different way to add the JSON string to the
> ajax request in js so that it is accessible from somwhere other than as a
> key in request.vars?
>
>
>
>
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
