Is there some way to make Twig stop sanitizing HTML URL links? - twig

Twig does a great job of sanitizing dangerous user input. However, I'm building a particular web app where I want to allow users to post clickable URL links in public comments. Is there some way I can make Twig not sanitize URL links, but still sanitize everything else?

You can use the raw filter to prevent HTML from being escaped:
{{ some_html|raw }}
Or maybe a better option would be to use it with the striptags filter and whitelist <a> tags:
{{ some_html|striptags('<a>')|raw }}
Internally, Twig uses the PHP strip_tags function. Note that its documentation has this warning:
Warning
This function does not modify any attributes on the tags that you allow using allowable_tags, including the style and onmouseover attributes that a mischievous user may abuse when posting text that will be shown to other users.
See TwigFiddle.

Related

Ckeditor - using twig code within FOSCKEditor wysiwyg

I wanted to know if it was possible to put twig code in ckeditor and that it interprets correctly the code in order to generate the HTML code.
I've already seen some configurations (using "protectedSource") that allow to put twig code within ckeditor but when I do that, the twig code is still interpreted as a string.
My goal here is to create some twig functions that I could use inside CKEditor.
Example :
Let's say that the "my_complex_table_function" function return a complex table, i would like to be able to put
{{ my_complex_table_function }}
in CKEditor and that it returns the table in the front page.
Is that possible ?
Thanks guys

Inject meta tag dynamically to HTML with Express

Summary:
I'm currently migrating a website on Apache + PHP stack over to Node + Express, and would like to know what is the best way/best practice (if there is one) for dynamically injecting meta tags under the new stack.
Details:
Under the existing stack, meta tags are injected dynamically by adding PHP codes into the HTML file directly. As rendering is done on server side, the tags are properly interpreted by Facebook/Google+/whatever web crawlers.
Under the new stack, after doing some research, I've come across two options:
Use template engine like Pug (Jade) to render the HTML with locals. (It seems to be an overkill to rewrite the existing HTML with Pug's syntax though? Can Pug deal with HTML, or I've to consider other template engine like EJS? What template engine do you advise me to explore?)
Use DOM manipulation plugin like Cheerio to inject the meta tags first, before rendering begins.
Between these two options, which one will have a better performance or there is no material difference? Are there any other ways that you'd otherwise recommend? Thanks!
EJS would probably be the simplest one for that and very similar to PHP.
You can also take a look at Mustache and Handlebars for other options with minimal changes to your existing HTML.
with EJS: <html><head><%= yourMetaTags %> ...
with Mustache: <html><head>{{ yourMetaTags }} ...
with Handlebars: <html><head>{{ yourMetaTags }} ...
Also doT.js is very fast.
See:
http://www.embeddedjs.com/
https://mustache.github.io/
http://handlebarsjs.com/
http://olado.github.io/doT/
Parsing the HTML and manipulating it with a DOM API just to insert meta tags would be an overkill in my opinion.
On the other hand if all you need is to insert meta tags then you could make a simple regex substitution, using something like yourHTML.replace('<head>', '<head>'+yourMetaTags); but it could potentially get more complex over time when you need more functionality. After all, everyone has made a templating engine at some point in life.

load external html files with handlebars

I would like to create external Handlebars files using the following -
1. header- Contains html codes
2. footer- Contains html codes
3. nav- Contains html codes
4. search - Contains html codes
etc.
Is there a way with handlebars to do this, so that I can include each template if and when needed in a specific page. Not sure how to go about it.
Thanks!
Absolutely! You can use Handlebar partials to do this. Simply register your header, nav, etc files as partials and then you can use this in your main template by doing something like this:
{{> header }}
{{> nav activePage=(activePage) }}
Have you considered using ASP.NET?
If you wanted to add content from other html files, I would highly recommend using
#RenderPage()If you use this, then you could set up a layout such as:
#RenderPage("header.html")
Some random description
#RenderPage("navigationbar.html")
#RenderPage("searchbar.html")
- Insert some content here -
#RenderPage("footer.html")
I'm certain that if you use this kind of layout, you'd get the appearance you would want. Obviously this is just an example, so you'd probably want to add some kind of CSS layout to suit your taste, but this is how I would go about it in ASP.NET.

Bolt-CMS Using extensions in page?

I read this from a recent answer to a question:
After enabling the extension, just use {{ twitterfeed() }} in your templates.
But, what if I only want say a contact form on one page? Putting the tag in the page's text field doesn't work. And putting it in the template would have it available on all the pages using that template. Do I have to duplicate a template to use only for the contact page? If not where do I put the contact form tag?
I went to Bolt's extension page, selected "how to use extensions" from the menu, and got this message:
No proper name for a page in the docs. Bye!
Perhaps someone at Bolt could fix the URL?
I would like to know why none of the extensions I want to use are not working. I am clearly missing a vital piece of info.
Thank you.
After enabling the extension, just use {{ twitterfeed() }} in your templates.
The Twig function {{ twitterfeed() }} belongs (generally speaking) in a Twig template file. You can use Twig in record fields, but that requires setting allowtwig: true for that Contenttype field.
But, what if I only want say a contact form on one page?
There are a few ways to do this, but the easiest way is to make a copy of your sites template file for the page's Contenttype and select that template for the 'Contact' record. The default 'pages' Contenttype that comes with Bolt has a templateselect field type that enables this.
No proper name for a page in the docs. Bye!
Fixed! Thanks for pointing it out.

Symfony TinyMCE Implementation

I have a small issue implementing TinyMCE into a Symfony project. I get the text editor to come up and save rich text to a database field. But when I go to "echo" it on a page, I get all the HTML tags instead of the rich text itself. Is there a special way that I need to "echo" this so that it parses the html? I also want it so that when people manually type in html tags, that they are displayed as regular text (to avoid people people adding hyperlinks and other unwanted things to their posts). Here is what displays:
<p>Test</p> <p><strong>Bold Test</strong></p> <p><span style="text-decoration: underline;"><strong>Underline Text</strong></span></p>
Instead of this:
Test Bold Test Underline Text
Symfony2 uses output escaping for security. You can read about it here: http://symfony.com/doc/current/book/templating.html#output-escaping
To echo a variable without escaping it you can do this:
{{ article.body|raw }}
In order to clean up and restrict which tags can be used you will want to use HTMLPurifier which has a bundle here: https://github.com/Exercise/HTMLPurifierBundle
For Symfony 1.4
Symfony 1.4 has similar output escaping. You can get the raw data with:
$sf_data->getRaw('varName');
or if it's a method on an object you can add ESC_RAW as a parameter to the method call (warning: symfony will do some magic here)
$myObject->getMessage(ESC_RAW);
more on 1.4 output escaping here

Resources