Pasting images versus uploading
61 views
Skip to first unread message
Mike Dewhirst
Oct 7, 2020, 8:03:54 PM10/7/20
to Django users
Users need to include an image of a molecular structure in a project I'm
building. These are small enough that I could limit the size without
restricting functionality. The image needs to be printed out for a report.
What is the best approach?
I have implemented a TinyMCE-lite HTMLField which accepts a pasted image
and in other systems I have used a Django ImageField for uploading.
ImageField is obviously easier on database size but pasting is easier on
the users.
I'm keen to make the UI easier (by pasting) but I worry it is a
vulnerability if abused.
Thanks for any advice
Cheers
Mike
building. These are small enough that I could limit the size without
restricting functionality. The image needs to be printed out for a report.
What is the best approach?
I have implemented a TinyMCE-lite HTMLField which accepts a pasted image
and in other systems I have used a Django ImageField for uploading.
ImageField is obviously easier on database size but pasting is easier on
the users.
I'm keen to make the UI easier (by pasting) but I worry it is a
vulnerability if abused.
Thanks for any advice
Cheers
Mike
Ryan Nowakowski
Oct 8, 2020, 8:56:59 PM10/8/20
to django...@googlegroups.com
Maybe you could swap out the default ImageField widget for TinyMCE-lite HTMLField? Security-wise you probably want to sanitize the input from HTMLField in Django to make sure only img tags are allowed.
Mike Dewhirst
Oct 9, 2020, 3:24:00 AM10/9/20
to django...@googlegroups.com
On 9/10/2020 11:55 am, Ryan Nowakowski wrote:
> Maybe you could swap out the default ImageField widget for
> TinyMCE-lite HTMLField? Security-wise you probably want to sanitize
> the input from HTMLField in Django to make sure only img tags are allowed.
With the image pasted in, viewing the browser page source it is
> Maybe you could swap out the default ImageField widget for
> TinyMCE-lite HTMLField? Security-wise you probably want to sanitize
> the input from HTMLField in Django to make sure only img tags are allowed.
represented as just a string although it does contain ...
... src="data:image/png;base64,iVBOR ...
Are you saying all I have to do is write a clean() method for the
HTMLField to detect various image types?
Thanks
Mike
>
> On October 7, 2020 7:02:16 PM CDT, Mike Dewhirst
> <mi...@dewhirst.com.au> wrote:
>
> Users need to include an image of a molecular structure in a project I'm
> building. These are small enough that I could limit the size without
> restricting functionality. The image needs to be printed out for a report.
>
> What is the best approach?
>
> I have implemented a TinyMCE-lite HTMLField which accepts a pasted image
> and in other systems I have used a Django ImageField for uploading.
> ImageField is obviously easier on database size but pasting is easier on
> the users.
>
> I'm keen to make the UI easier (by pasting) but I worry it is a
> vulnerability if abused.
>
> Thanks for any advice
>
> Cheers
>
> Mike
>
> Groups "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to django-users...@googlegroups.com
> <mailto:django-users...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/0F5DF089-E571-4730-9D46-7DD41216F4D4%40fattuba.com
> <https://groups.google.com/d/msgid/django-users/0F5DF089-E571-4730-9D46-7DD41216F4D4%40fattuba.com?utm_medium=email&utm_source=footer>.
--
Signed email is an absolute defence against phishing. This email has
been signed with my private key. If you import my public key you can
automatically decrypt my signature and be sure it came from me. Just
ask and I'll send it to you. Your email software can handle signing.
Dvs Khamele
Oct 11, 2020, 1:03:33 PM10/11/20
to django...@googlegroups.com
Hi do you hire contract based python/django freelancer?
We can help you in this and related tasks at fair prices. Reply or send email to div...@pythonmate.com
Best Regards,
Divyesh Khamele,
Pythonmate
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/3611cc83-8ce8-5ccc-5f15-1463da733e26%40dewhirst.com.au.
Ryan Nowakowski
Oct 14, 2020, 6:29:55 PM10/14/20
to django...@googlegroups.com
On Fri, Oct 09, 2020 at 06:22:10PM +1100, Mike Dewhirst wrote:
> On 9/10/2020 11:55 am, Ryan Nowakowski wrote:
> > Maybe you could swap out the default ImageField widget for
> > TinyMCE-lite HTMLField? Security-wise you probably want to sanitize
> > the input from HTMLField in Django to make sure only img tags are allowed.
>
> With the image pasted in, viewing the browser page source it is
> represented as just a string although it does contain ...
>
> ... src="data:image/png;base64,iVBOR ...
>
>
> Are you saying all I have to do is write a clean() method for the
> HTMLField to detect various image types?
In your Django form class I'd write a clean method specifically for that
> On 9/10/2020 11:55 am, Ryan Nowakowski wrote:
> > Maybe you could swap out the default ImageField widget for
> > TinyMCE-lite HTMLField? Security-wise you probably want to sanitize
> > the input from HTMLField in Django to make sure only img tags are allowed.
>
> With the image pasted in, viewing the browser page source it is
> represented as just a string although it does contain ...
>
> ... src="data:image/png;base64,iVBOR ...
>
>
> Are you saying all I have to do is write a clean() method for the
> HTMLField to detect various image types?
field[1] that parses the html, perhaps using BeautifulSoup[2]. Then
search for any "img" tags. For each img tag, parse the data URI[3] to
get the image data.
You still have the problem that the HTMLField is meant to be a
replacement for TextField so you'll need to figure out how to back that
with an ImageField instead. Perhaps you should try to go one level
lower and use the TinyMCE form widget[4] instead of using the HTMLField?
[1] https://docs.djangoproject.com/en/3.1/ref/forms/validation/#cleaning-a-specific-field-attribute
[2] https://www.crummy.com/software/BeautifulSoup/bs4/doc/
[3] https://stackoverflow.com/a/33870677/226697
[4] http://romanvm.github.io/django-tinymce4-lite/usage.html#tinymce-widget-for-forms
Mike Dewhirst
Oct 16, 2020, 7:25:19 PM10/16/20
to django...@googlegroups.com
Ryan
Thank you for that research and advice. I need to follow through and absorb the implications. That means trying both and then deciding.
I'll report in due course.
Thanks to all
Mike
--
(Unsigned mail from my phone)
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/20201014222827.GW12495%40fattuba.com.
Reply all
Reply to author
Forward
0 new messages