AJH
Reputation: 275
Wagtail insert code into body (streamfield)
Is it possible to insert html in any other way than RawHTML? RawHTML is a threat and was wondering if I could do it another way.
Thanks in advance!
Upvotes: 1
Views: 396
Answers (1)
nimasmi
Reputation: 4138
As @gasman says in his comment on the question, inserting HTML carries the same risks no matter what form field you give your editors to do it.
However, you can implement a .clean() method on your block type which sanitises the HTML using Bleach.
e.g. to allow only <p> tags:
>>> raw_html = """<p id='foo' class='dangerous'>
<script>console.log('bar');</script>
<b>Hello</b>
</p>"""
>>> html = bleach.clean(raw_html,
tags=['p'],
attributes={'p': ['id']},
strip=True)
>>> print(html)
<p id='foo'>Hello</p>
Upvotes: 2
Related Questions
- Default blocks for wagtail's StreamField when a new Page is created
- Wagtail - Add data to streamfield CharBlock on save()
- add/modify blocks value in wagtail streamfield from shell
- Wagtail - Change default HTML-Tag wrapper for StructBlock in StreamField
- Wagtail streamfield not rendering as expected
- Set Wagtail BooleanField value to True, disabled
- How To Migrate RichTextField to StreamField?
- Injecting snippets into a Wagtail StreamField interface
- Migrating Data In Wagtail
- How to move a StreamBlock between apps