Web2py has really decent security issue prevention built in, see here: http://web2py.com/books/default/chapter/34/01/introduction#Security
*cheers :D On Mon, Dec 15, 2014 at 11:49 PM, Ramashish Gaurav <ramashis...@gmail.com> wrote: > > Thanks all the way Andrew. This was the perfect solution to my problem, > for which I wasted a day. One more thing, if you wish to, please give me > some info about XSS attack, how can we ignorantly get caught in it and > measures taken to prevent XSS attacks. > > On Tuesday, December 16, 2014 1:20:20 AM UTC+5:30, Andrew wrote: >> >> Hey there if I understand correctly you want to not display html but the >> formatted output. If so then use this in your view and add any html you >> would like to allow. >> >> {{=XML(row.textfromeditor, sanitize=True, permitted_tags=['a', 'b', >> 'blockquote', 'br', 'i', 'li', >> 'ol', 'ul', 'p', 'cite', >> 'code', 'pre', 'img'], >> allowed_attributes={'a':['href', 'title'], >> 'img':['src', 'alt'], >> 'blockquote':['type']})}} >> >> >> >> or do this which I highly suggest not doing {{=XML(row.textfromeditor, >> sanitize=False)}} >> >> *cheers >> >> >> On Mon, Dec 15, 2014 at 6:50 AM, Ramashish Gaurav <ramas...@gmail.com> >> wrote: >>> >>> Dear Andrew, >>> >>> Many thanks for your response and elaborate explanation of installation >>> of ck-editor. However I used another light weight editor nicEdit since the >>> installation was pretty easy as directed at http://nicedit.com/ . >>> However I am in a problem, not related to installation of editors, but in >>> showing of html doc after being saved from the textarea. >>> >>> The content from the textarea in HTML used with nicEdit, is in html >>> format. After getting the html coded text from textarea and saving it in >>> database, I need to redisplay it on demand. I tried to use textarea with >>> read only mode to display the html text in formatted form, searched for >>> hours on internet but with no luck. Textarea always showed the raw html >>> code instead of formatted one. Also I read that it can be done via an >>> editor only, not textarea. So used nicEdit again, but don't know to use it >>> in read only mode. stackoverflow had a post related to the similar problem >>> of using nicEdit with disabled edit option, but it did not come to my >>> rescue. I implemented the code posted there in answer, but was not able to >>> set nicEdit in read only mode. Here is the link. >>> >>> http://stackoverflow.com/questions/4282446/how-to-set-nicedit-uneditable >>> >>> If you do know to display the html coded text in formatted way via >>> nicEdit or any other way round, I'd appreciate your help. >>> >>> Here is the code I have implemented: >>> >>> {{extend 'layout.html'}} >>> <head> >>> >>> <script src="http://js.nicedit.com/nicEdit-latest.js" >>> type="text/javascript"></script> >>> <script type="text/javascript" src="jquery-1.11.1.js"></script> >>> <script type="text/javascript">bkLib.onDomLoaded(nicEditors. >>> allTextAreas);</script> >>> <script type="text/javascript" src="http://js.nicedit.com/ >>> nicEdit-latest.js"> >>> //<![CDATA[ >>> bkLib.onDomLoaded(funtion(){ >>> var myNicEditor = >>> new nicEditor(); >>> >>> myNicEditor.addInstance("nice"); >>> >>> nicEditors.findEditor("nice").disable(); >>> }); >>> >>> //]]> </script> >>> >>> </head> >>> >>> <body> >>> {{for row in rows:}} >>> <textarea id="nice">{{=row.textfromeditor}}</textarea> >>> {{pass}} >>> >>> </body> >>> >>> >>> On Monday, December 15, 2014 6:45:52 AM UTC+5:30, Andrew wrote: >>>> >>>> Your error at this point isn't from ckeditor but you are using a >>>> reserved sql keyword in your database table/field. I suggest removing this >>>> line *check_reserved=['all']* or change the name of one of the >>>> fields/tables in question. >>>> >>>> As a side reference here is a brief bit of info for implementing >>>> ckeditor. >>>> >>>> I haven't used ckeditor in a long time but if the code remains the same >>>> then you can do this. >>>> >>>> in db.py add: >>>> >>>> def advanced_editor(field, value): >>>> return TEXTAREA(_id = str(field).replace('.','_'), _name=field.name, >>>> _class='text ckeditor', value=value, _cols=80, _rows=10) >>>> >>>> For the text field you use this as an example: >>>> Field('body', 'text', widget=advanced_editor)) >>>> >>>> In your template file example layout.html add the path to ckeditor: >>>> <script type="text/javascript" src="{{=URL(request.applicatio >>>> n,'static','ckeditor/ckeditor.js')}}"></script> >>>> >>>> Then choose to sanitize or not the input. Depending if other users will >>>> submit your form then I would choose to sanitize info: >>>> >>>> Example sanitized: >>>> {{=XML(query.body,sanitize=True, >>>> permitted_tags=['a', 'b', 'blockquote', 'br', 'i', 'li', >>>> 'ol', 'ul', 'p', 'cite', >>>> 'code', 'pre', 'img'], >>>> allowed_attributes={'a':['href', 'title'], >>>> 'img':['src', 'alt'], >>>> 'blockquote':['type']})}} >>>> >>>> Example unsanitized: {{=XML(query.body,sanitize=False)}} >>>> >>>> you can choose what values you will allow to be displayed for that form >>>> code in the ckeditor config. I don't remember if there is anything you need >>>> to do in the controller files but looking at code I don't believe so. >>>> >>>> *cheers! >>>> >>>> On Wed, Dec 10, 2014 at 10:50 PM, Ramashish Gaurav <ramas...@gmail.com> >>>> wrote: >>>> >>>>> >>>>> Hi all ! >>>>> >>>>> First of all, I am a newbie in web2py. >>>>> I am working on a project and need to install an editor plugin in my >>>>> web2py app named "editor". After hours of search I got ck_editor4 >>>>> plugin <http://www.web2pyslices.com/slice/show/1952/ck-editor4-plugin> , >>>>> installed it and then made some changes in models and views of my >>>>> application. Changes were made in : >>>>> >>>>> 1: editor/models/db1.py >>>>> Contents are : >>>>> >>>>> # -*- coding: utf-8 -*- >>>>> from plugin_ckeditor import CKEditor >>>>> ckeditor = CKEditor(db) >>>>> ckeditor.define_tables() >>>>> >>>>> db.define_table('content', Field('title', length=255), >>>>> Field('public', 'boolean', default=True), >>>>> Field('text', 'text', widget=ckeditor.widget) ) >>>>> >>>>> 2: editor/views/default/index.html >>>>> Contents are: >>>>> >>>>> {{=ckeditor.edit_in_place('.editable', URL())}} >>>>> >>>>> After opening the index page in browser a ticket was raised which says >>>>> this: >>>>> >>>>> Traceback (most recent call last): >>>>> File "gluon/restricted.py", line 224, in restricted >>>>> File "C:/Users/Ramashish >>>>> Gaurav/Downloads/web2py_win/web2py/applications/editor/models/db1.py" >>>>> <http://127.0.0.1:8000/admin/default/edit/editor/models/db1.py>, line 4, >>>>> in <module> >>>>> ckeditor.define_tables() >>>>> File "applications\editor\modules\plugin_ckeditor.py", line 59, in >>>>> define_tables >>>>> fake_migrate = fake_migrate, >>>>> File "gluon/dal.py", line 8414, in define_table >>>>> File "gluon/dal.py", line 8430, in lazy_define_table >>>>> File "gluon/dal.py", line 8952, in __init__ >>>>> File "gluon/dal.py", line 8119, in check_reserved_keyword >>>>> SyntaxError: invalid table/column name "length" is a "ALL" reserved >>>>> SQL/NOSQL keyword >>>>> >>>>> Please help me regarding this issue (May be I am not placing the right >>>>> code at right place). >>>>> (I don't know whether this editor will support programming languages >>>>> like C, C++ etc, so if you have got any new simple programming language >>>>> based editor for web2py app, I'll be happy to install that) >>>>> >>>>> -- >>>>> Resources: >>>>> - http://web2py.com >>>>> - http://web2py.com/book (Documentation) >>>>> - http://github.com/web2py/web2py (Source code) >>>>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "web2py-users" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to web2py+un...@googlegroups.com. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> -- >>> Resources: >>> - http://web2py.com >>> - http://web2py.com/book (Documentation) >>> - http://github.com/web2py/web2py (Source code) >>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "web2py-users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to web2py+un...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- > Resources: > - http://web2py.com > - http://web2py.com/book (Documentation) > - http://github.com/web2py/web2py (Source code) > - https://code.google.com/p/web2py/issues/list (Report Issues) > --- > You received this message because you are subscribed to the Google Groups > "web2py-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to web2py+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.