Web2py has really decent security issue prevention built in, see here:
http://web2py.com/books/default/chapter/34/01/introduction#Security
*cheers :D
On Mon, Dec 15, 2014 at 11:49 PM, Ramashish Gaurav <ramashis...@gmail.com>
wrote:
>
> Thanks all the way Andrew. This was the perfect solution to my problem,
> for which I wasted a day. One more thing, if you wish to, please give me
> some info about XSS attack, how can we ignorantly get caught in it and
> measures taken to prevent XSS attacks.
>
> On Tuesday, December 16, 2014 1:20:20 AM UTC+5:30, Andrew wrote:
>>
>> Hey there if I understand correctly you want to not display html but the
>> formatted output. If so then use this in your view and add any html you
>> would like to allow.
>>
>> {{=XML(row.textfromeditor, sanitize=True, permitted_tags=['a', 'b',
>> 'blockquote', 'br', 'i', 'li',
>> 'ol', 'ul', 'p', 'cite',
>> 'code', 'pre', 'img'],
>> allowed_attributes={'a':['href', 'title'],
>> 'img':['src', 'alt'],
>> 'blockquote':['type']})}}
>>
>>
>>
>> or do this which I highly suggest not doing {{=XML(row.textfromeditor,
>> sanitize=False)}}
>>
>> *cheers
>>
>>
>> On Mon, Dec 15, 2014 at 6:50 AM, Ramashish Gaurav <ramas...@gmail.com>
>> wrote:
>>>
>>> Dear Andrew,
>>>
>>> Many thanks for your response and elaborate explanation of installation
>>> of ck-editor. However I used another light weight editor nicEdit since the
>>> installation was pretty easy as directed at http://nicedit.com/ .
>>> However I am in a problem, not related to installation of editors, but in
>>> showing of html doc after being saved from the textarea.
>>>
>>> The content from the textarea in HTML used with nicEdit, is in html
>>> format. After getting the html coded text from textarea and saving it in
>>> database, I need to redisplay it on demand. I tried to use textarea with
>>> read only mode to display the html text in formatted form, searched for
>>> hours on internet but with no luck. Textarea always showed the raw html
>>> code instead of formatted one. Also I read that it can be done via an
>>> editor only, not textarea. So used nicEdit again, but don't know to use it
>>> in read only mode. stackoverflow had a post related to the similar problem
>>> of using nicEdit with disabled edit option, but it did not come to my
>>> rescue. I implemented the code posted there in answer, but was not able to
>>> set nicEdit in read only mode. Here is the link.
>>>
>>> http://stackoverflow.com/questions/4282446/how-to-set-nicedit-uneditable
>>>
>>> If you do know to display the html coded text in formatted way via
>>> nicEdit or any other way round, I'd appreciate your help.
>>>
>>> Here is the code I have implemented:
>>>
>>> {{extend 'layout.html'}}
>>> <head>
>>>
>>> <script src="http://js.nicedit.com/nicEdit-latest.js";
>>> type="text/javascript"></script>
>>> <script type="text/javascript" src="jquery-1.11.1.js"></script>
>>> <script type="text/javascript">bkLib.onDomLoaded(nicEditors.
>>> allTextAreas);</script>
>>> <script type="text/javascript" src="http://js.nicedit.com/
>>> nicEdit-latest.js">
>>> //<![CDATA[
>>> bkLib.onDomLoaded(funtion(){
>>> var myNicEditor =
>>> new nicEditor();
>>>
>>> myNicEditor.addInstance("nice");
>>>
>>> nicEditors.findEditor("nice").disable();
>>> });
>>>
>>> //]]> </script>
>>>
>>> </head>
>>>
>>> <body>
>>> {{for row in rows:}}
>>> <textarea id="nice">{{=row.textfromeditor}}</textarea>
>>> {{pass}}
>>>
>>> </body>
>>>
>>>
>>> On Monday, December 15, 2014 6:45:52 AM UTC+5:30, Andrew wrote:
>>>>
>>>> Your error at this point isn't from ckeditor but you are using a
>>>> reserved sql keyword in your database table/field. I suggest removing this
>>>> line *check_reserved=['all']* or change the name of one of the
>>>> fields/tables in question.
>>>>
>>>> As a side reference here is a brief bit of info for implementing
>>>> ckeditor.
>>>>
>>>> I haven't used ckeditor in a long time but if the code remains the same
>>>> then you can do this.
>>>>
>>>> in db.py add:
>>>>
>>>> def advanced_editor(field, value):
>>>> return TEXTAREA(_id = str(field).replace('.','_'), _name=field.name,
>>>> _class='text ckeditor', value=value, _cols=80, _rows=10)
>>>>
>>>> For the text field you use this as an example:
>>>> Field('body', 'text', widget=advanced_editor))
>>>>
>>>> In your template file example layout.html add the path to ckeditor:
>>>> <script type="text/javascript" src="{{=URL(request.applicatio
>>>> n,'static','ckeditor/ckeditor.js')}}"></script>
>>>>
>>>> Then choose to sanitize or not the input. Depending if other users will
>>>> submit your form then I would choose to sanitize info:
>>>>
>>>> Example sanitized:
>>>> {{=XML(query.body,sanitize=True,
>>>> permitted_tags=['a', 'b', 'blockquote', 'br', 'i', 'li',
>>>> 'ol', 'ul', 'p', 'cite',
>>>> 'code', 'pre', 'img'],
>>>> allowed_attributes={'a':['href', 'title'],
>>>> 'img':['src', 'alt'],
>>>> 'blockquote':['type']})}}
>>>>
>>>> Example unsanitized: {{=XML(query.body,sanitize=False)}}
>>>>
>>>> you can choose what values you will allow to be displayed for that form
>>>> code in the ckeditor config. I don't remember if there is anything you need
>>>> to do in the controller files but looking at code I don't believe so.
>>>>
>>>> *cheers!
>>>>
>>>> On Wed, Dec 10, 2014 at 10:50 PM, Ramashish Gaurav <ramas...@gmail.com>
>>>> wrote:
>>>>
>>>>>
>>>>> Hi all !
>>>>>
>>>>> First of all, I am a newbie in web2py.
>>>>> I am working on a project and need to install an editor plugin in my
>>>>> web2py app named "editor". After hours of search I got ck_editor4
>>>>> plugin <http://www.web2pyslices.com/slice/show/1952/ck-editor4-plugin> ,
>>>>> installed it and then made some changes in models and views of my
>>>>> application. Changes were made in :
>>>>>
>>>>> 1: editor/models/db1.py
>>>>> Contents are :
>>>>>
>>>>> # -*- coding: utf-8 -*-
>>>>> from plugin_ckeditor import CKEditor
>>>>> ckeditor = CKEditor(db)
>>>>> ckeditor.define_tables()
>>>>>
>>>>> db.define_table('content', Field('title', length=255),
>>>>> Field('public', 'boolean', default=True),
>>>>> Field('text', 'text', widget=ckeditor.widget) )
>>>>>
>>>>> 2: editor/views/default/index.html
>>>>> Contents are:
>>>>>
>>>>> {{=ckeditor.edit_in_place('.editable', URL())}}
>>>>>
>>>>> After opening the index page in browser a ticket was raised which says
>>>>> this:
>>>>>
>>>>> Traceback (most recent call last):
>>>>> File "gluon/restricted.py", line 224, in restricted
>>>>> File "C:/Users/Ramashish
>>>>> Gaurav/Downloads/web2py_win/web2py/applications/editor/models/db1.py"
>>>>> <http://127.0.0.1:8000/admin/default/edit/editor/models/db1.py>, line 4,
>>>>> in <module>
>>>>> ckeditor.define_tables()
>>>>> File "applications\editor\modules\plugin_ckeditor.py", line 59, in
>>>>> define_tables
>>>>> fake_migrate = fake_migrate,
>>>>> File "gluon/dal.py", line 8414, in define_table
>>>>> File "gluon/dal.py", line 8430, in lazy_define_table
>>>>> File "gluon/dal.py", line 8952, in __init__
>>>>> File "gluon/dal.py", line 8119, in check_reserved_keyword
>>>>> SyntaxError: invalid table/column name "length" is a "ALL" reserved
>>>>> SQL/NOSQL keyword
>>>>>
>>>>> Please help me regarding this issue (May be I am not placing the right
>>>>> code at right place).
>>>>> (I don't know whether this editor will support programming languages
>>>>> like C, C++ etc, so if you have got any new simple programming language
>>>>> based editor for web2py app, I'll be happy to install that)
>>>>>
>>>>> --
>>>>> Resources:
>>>>> - http://web2py.com
>>>>> - http://web2py.com/book (Documentation)
>>>>> - http://github.com/web2py/web2py (Source code)
>>>>> - https://code.google.com/p/web2py/issues/list (Report Issues)
>>>>> ---
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "web2py-users" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to web2py+un...@googlegroups.com.
>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>
>>>> --
>>> Resources:
>>> - http://web2py.com
>>> - http://web2py.com/book (Documentation)
>>> - http://github.com/web2py/web2py (Source code)
>>> - https://code.google.com/p/web2py/issues/list (Report Issues)
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "web2py-users" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to web2py+un...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>> --
> Resources:
> - http://web2py.com
> - http://web2py.com/book (Documentation)
> - http://github.com/web2py/web2py (Source code)
> - https://code.google.com/p/web2py/issues/list (Report Issues)
> ---
> You received this message because you are subscribed to the Google Groups
> "web2py-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to web2py+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
