Django: text, font, and style

[Malik Rumi]

Apparently I completely misunderstand the built in template tags {% autoescape &} and {% safe %}. Either they don't do what I expect, or I can't get them to do what I expect. But what I am trying to do is not at all unusual, so this post is all about learning from the community what are the best practices for getting this done.

Simply put, I want to be able to put some style on any arbitrary text in any arbitrary article on my site.

I have tried the version of TinyMCE built into Mezzanine. I found it both too limiting and too complex for my purposes. I also think the idea of using a wysiwg editor just to make a single word <b>bold</b> or with <font: color=yellow> highlighting is pretty heavy handed. There must be a better way. What is it?

I did stumble across a snippet for a custom template tag, https://www.djangosnippets.org/snippets/1242/, but it is 9 years old and has only one comment in all that time. Although the comment is favorable, that's hardly what I would call a large and happy current user base. On the flip side, I assume this is not very different from how {% url %} works, so maybe it can be hacked to do what I'm talking about?

I also looked at djangopackages, and the results were disappointing. Django-text looked promising, but the author wrote me that it is no longer in active development :-(

So, all you experts out there, how do you solve this problem? Thanks.

p.s. I am comfortable with html, but CSS and javascript, not so much. Doesn't mean I can't or won't learn if that's your go to option, I'm just letting you know where I am.

p.s.s. HAPPY NEW YEAR TO ALL!

[Etienne Robillard]

Hi Malik,

I share your views regarding the autoescape templatetag.

Personally I don't use the Django template framework but depends on Mako for UTF-8 template rendering and HTML escaping.

Happy new year!

Etienne

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/0b700a53-7812-4a64-a690-0f606980179f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 
Etienne Robillard
tka...@yandex.com
https://www.isotopesoftware.ca/

[Jani Tiainen]

Hi.

By default all strings processed through Django templating language are considered as unsafe. IOW all strings gets HTML escaped properly.

To get around that you can either use safe filter or declare particular string as a safe in a view.

--

You received this message because you are subscribed to the Google Groups "Django users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.

[Malik Rumi]

Well, as I said at the beginning, I don't seem to 'get' autoescape and safe. For example, I put this in my template:

{{ object.content|linebreaks|safe }}

But the result in my web page is:

     <p>Friday, November 17, 2017<br>

     5:36 pm</p>

     <h3>pga4 and mezz</h3>

     <p>I am happy to report.....  

So what am i doing wrong here? (I didn't know I could use safe in a view. Haven't tried that yet.)

“None of you has faith until he loves for his brother or his neighbor what he loves for himself.”

--
You received this message because you are subscribed to a topic in the Google Groups "Django users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/django-users/qYY7V0h2E0k/unsubscribe.
To unsubscribe from this group and all its topics, send an email to django-users+unsubscribe@googlegroups.com.

To post to this group, send email to django...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.

To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAHn91of%3DZkDbjJGXqeRGP48_Xufz9ULXc8myaLiCBS%3Da1QR15w%40mail.gmail.com.

[Malik Rumi]

This also fails, and renders exactly as you now see it on my web page:

    {% autoescape off %}
    <h1 class="text-info">Yea, that's going to be a monster....</h1>
    {% endautoescape %}

“None of you has faith until he loves for his brother or his neighbor what he loves for himself.”

[Malik Rumi]

I even tried putting this at the top of my detail template, inside {& block content %}:

    <style>

    p }

    color: red;

    }

    </style>

But the result was the same:

    <p>This is all just to help me understand. I put this</p>

So what am I doing wrong, here?

“None of you has faith until he loves for his brother or his neighbor what he loves for himself.”

[James Schneider]

On Jan 1, 2018 2:29 PM, "Malik Rumi" <malik....@gmail.com> wrote:

Well, as I said at the beginning, I don't seem to 'get' autoescape and safe. For example, I put this in my template:

{{ object.content|linebreaks|safe }}

But the result in my web page is:

     <p>Friday, November 17, 2017<br>

Have you verified that object.content contains un-escaped (raw) HTML? Is it possible that the steering is being escaped before it is saved?

What is the raw output from object.content in the shell?

Is content a real field on the model it is it a property or method that potentially returns pre-escaped HTML? You may be marking the strings as safe, but it appears that they may already be escaped before they hit the template.

-James

[James Schneider]

Have you verified that object.content contains un-escaped (raw) HTML? Is it possible that the steering is being escaped before it is saved?

s/steering/string/

[Mike Dewhirst]

On 2/01/2018 10:01 AM, Malik Rumi wrote:
> I even tried putting this at the top of my detail template, inside {&
> block content %}:
>
>     <style>
>
>     p }
p {
>
>     color: red;
>     }
>
>     </style>
>
> But the result was the same:
>
>     <p>This is all just to help me understand. I put this</p>
>
> So what am I doing wrong, here?

Django always converts your html tags. I would remove the autoescape and
try the safe filter all by itself. That may work but is not what I do.

I selectively permit some tags and prevent others using bleach and
Django's own mark_safe() in my views.

Bleach has a set of permissable tags by default and converts all others
to &gt; and &lt; entities. You can add to those defaults if you need to.

That means a bleached piece of text may have a mixture of genuine html
tags and converted (ie., harmless) tags which actually look like html
source but are not.

To get that piece of text to render properly is not possible if you just
render it as is because Django converts the remaining tags even after
bleaching. So you have to mark that piece of text safe before rendering it.

# in a view

from django.utils.safestring import mark_safe

renderable_text = mark_safe(piece_of_bleached_text)


Then in your template

{{ renderable_text | safe }}


You still need the safe filter because renderable_text still has genuine
html which you want the browser to recognise - even though bleach may
have converted some disallowed tags.

https://docs.djangoproject.com/en/1.11/howto/custom-template-tags/#filters-and-auto-escaping

Cheers

Mike


>
> */“None of you has faith until he loves for his brother or his
> neighbor what he loves for himself.”/*

>
> On Mon, Jan 1, 2018 at 2:47 PM, Malik Rumi <malik....@gmail.com
> <mailto:malik....@gmail.com>> wrote:
>
> This also fails, and renders exactly as you now see it on my web
> page:
>
>     {% autoescape off %}
>     <h1 class="text-info">Yea, that's going to be a monster....</h1>
>     {% endautoescape %}
>

> */“None of you has faith until he loves for his brother or his
> neighbor what he loves for himself.”/*

>
> On Mon, Jan 1, 2018 at 2:28 PM, Malik Rumi <malik....@gmail.com
> <mailto:malik....@gmail.com>> wrote:
>
> Well, as I said at the beginning, I don't seem to 'get'
> autoescape and safe. For example, I put this in my template:
>
> {{ object.content|linebreaks|safe }}
>
> But the result in my web page is:
>
>      <p>Friday, November 17, 2017<br>
>
>      5:36 pm</p>
>
>      <h3>pga4 and mezz</h3>
>
>      <p>I am happy to report.....
>
> So what am i doing wrong here? (I didn't know I could use safe
> in a view. Haven't tried that yet.)
>
>

> */“None of you has faith until he loves for his brother or his
> neighbor what he loves for himself.”/*

>
> On Mon, Jan 1, 2018 at 1:32 PM, Jani Tiainen
> <red...@gmail.com <mailto:red...@gmail.com>> wrote:
>
> Hi.
>
> By default all strings processed through Django templating
> language are considered as unsafe. IOW all strings gets
> HTML escaped properly.
>
> To get around that you can either use safe filter or
> declare particular string as a safe in a view.
>
> 1.1.2018 20.47 "Malik Rumi" <malik....@gmail.com

> <mailto:malik....@gmail.com>> kirjoitti:

>
> Apparently I completely misunderstand the built in
> template tags {% autoescape &} and {% safe %}. Either
> they don't do what I expect, or I can't get them to do
> what I expect. But what I am trying to do is not at
> all unusual, so this post is all about learning from
> the community what are the best practices for getting
> this done.
>
>
> Simply put, I want to be able to put some style on any
> arbitrary text in any arbitrary article on my site.
>
>
> I have tried the version of TinyMCE built into
> Mezzanine. I found it both too limiting and too
> complex for my purposes. I also think the idea of
> using a wysiwg editor just to make a single word
> <b>bold</b> or with <font: color=yellow> highlighting
> is pretty heavy handed. There must be a better way.
> What is it?
>
>
> I did stumble across a snippet for a custom template
> tag, https://www.djangosnippets.org/snippets/1242/

> <https://www.djangosnippets.org/snippets/1242/>, but

> it is 9 years old and has only one comment in all that
> time. Although the comment is favorable, that's hardly
> what I would call a large and happy current user base.
> On the flip side, I assume this is not very different
> from how {% url %} works, so maybe it can be hacked to
> do what I'm talking about?
>
>
> I also looked at djangopackages, and the results were
> disappointing. Django-text looked promising, but the
> author wrote me that it is no longer in active
> development :-(
>
>
> So, all you experts out there, how do you solve this
> problem? Thanks.
>
>
> p.s. I am comfortable with html, but CSS and
> javascript, not so much. Doesn't mean I can't or won't
> learn if that's your go to option, I'm just letting
> you know where I am.
>
>
> p.s.s. HAPPY NEW YEAR TO ALL!
>
> --
> You received this message because you are subscribed
> to the Google Groups "Django users" group.
> To unsubscribe from this group and stop receiving
> emails from it, send an email to

> django-users...@googlegroups.com
> <mailto:django-users...@googlegroups.com>.

> To post to this group, send email to
> django...@googlegroups.com

> <mailto:django...@googlegroups.com>.

> Visit this group at
> https://groups.google.com/group/django-users

> <https://groups.google.com/group/django-users>.

> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/0b700a53-7812-4a64-a690-0f606980179f%40googlegroups.com

> <https://groups.google.com/d/msgid/django-users/0b700a53-7812-4a64-a690-0f606980179f%40googlegroups.com?utm_medium=email&utm_source=footer>.

> For more options, visit
> https://groups.google.com/d/optout

> <https://groups.google.com/d/optout>.

>
> --
> You received this message because you are subscribed to a
> topic in the Google Groups "Django users" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/django-users/qYY7V0h2E0k/unsubscribe

> <https://groups.google.com/d/topic/django-users/qYY7V0h2E0k/unsubscribe>.

> To unsubscribe from this group and all its topics, send an

> email to django-users...@googlegroups.com
> <mailto:django-users...@googlegroups.com>.

> To post to this group, send email to
> django...@googlegroups.com

> <mailto:django...@googlegroups.com>.

> Visit this group at
> https://groups.google.com/group/django-users

> <https://groups.google.com/group/django-users>.

> To view this discussion on the web visit

> https://groups.google.com/d/msgid/django-users/CAHn91of%3DZkDbjJGXqeRGP48_Xufz9ULXc8myaLiCBS%3Da1QR15w%40mail.gmail.com
> <https://groups.google.com/d/msgid/django-users/CAHn91of%3DZkDbjJGXqeRGP48_Xufz9ULXc8myaLiCBS%3Da1QR15w%40mail.gmail.com?utm_medium=email&utm_source=footer>.

>
>
> For more options, visit https://groups.google.com/d/optout

> <https://groups.google.com/d/optout>.

>
>
>
>
> --
> You received this message because you are subscribed to the Google
> Groups "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send

> an email to django-users...@googlegroups.com
> <mailto:django-users...@googlegroups.com>.

> To post to this group, send email to django...@googlegroups.com

> <mailto:django...@googlegroups.com>.

> Visit this group at https://groups.google.com/group/django-users.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/django-users/CAKd6oByrfqOSCMKamjdT_AFKQnP1dGZ7gbUdcj0Q9CkC5DeVVA%40mail.gmail.com
> <https://groups.google.com/d/msgid/django-users/CAKd6oByrfqOSCMKamjdT_AFKQnP1dGZ7gbUdcj0Q9CkC5DeVVA%40mail.gmail.com?utm_medium=email&utm_source=footer>.

[Malik Rumi]

I'm sorry, James. What the heck is 'steering' in this context?

“None of you has faith until he loves for his brother or his neighbor what he loves for himself.”

On Mon, Jan 1, 2018 at 3:11 PM, James Schneider <jrschn...@gmail.com> wrote:

Have you verified that object.content contains un-escaped (raw) HTML? Is it possible that the steering is being escaped before it is saved?

s/steering/string/

--

You received this message because you are subscribed to a topic in the Google Groups "Django users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/django-users/qYY7V0h2E0k/unsubscribe.
To unsubscribe from this group and all its topics, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.

To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CA%2Be%2BciXfmc-hPagjV24bmBH_ffZ6R2JscNrEnq61U96Jq9aezw%40mail.gmail.com.

[Malik Rumi]

Mike,

Thank you, I think we are now on to something. I've heard of bleach, but never used it and frankly forgot about it until now. I will go read up on it. I also have never heard of Django's own mark_safe, so I will check that out, too. 

I did a little more experimenting with autoescape while waiting for these answers, and I may now have a better grasp on how it works, but still not so much with safe. But this is a good start. thx!

“None of you has faith until he loves for his brother or his neighbor what he loves for himself.”

[James Schneider]

On Jan 1, 2018 6:01 PM, "Malik Rumi" <malik....@gmail.com> wrote:

I'm sorry, James. What the heck is 'steering' in this context?

It's not, my phone auto corrected it to steering. It was supposed to be 'string'.

[Malik Rumi]

Yea, I disconnected that feature on my phone.....

“None of you has faith until he loves for his brother or his neighbor what he loves for himself.”

--

You received this message because you are subscribed to a topic in the Google Groups "Django users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/django-users/qYY7V0h2E0k/unsubscribe.
To unsubscribe from this group and all its topics, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.

To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CA%2Be%2BciWXeUy8UCfkbXBaWdqETDBJL-D3doW80gJD-OH%3DTOn4ww%40mail.gmail.com.