Added support for markdown in vm and node notes field #214
Conversation
This way we can escape html, and more importantly javascript in order to prevent XSS, but have nice formatable notes.
ricco386
changed the title
gui/templatetags/gui_utils.py
Outdated
|
|
||
| @register.filter | ||
| def markdownify(text): | ||
| return markdown.markdown(text, safe_mode='escape') |
There was a problem hiding this comment.
Reading the documentation https://pythonhosted.org/Markdown/reference.html#markdown:
output_formatshould behtml5safe_modeis deprecated -> https://pythonhosted.org/Markdown/release-2.6.html#safe_mode-deprecated
There was a problem hiding this comment.
we dont mind safe_mode is deprecated as we will rely on django template escape, e.g. in template we escape the content than run via markdown and mark safe for django template to render.
gui/templatetags/gui_utils.py
Outdated
| @@ -7,6 +7,7 @@ | |||
| from json import dumps | |||
| from datetime import datetime, timedelta | |||
|
|
|||
| import markdown | |||
There was a problem hiding this comment.
Please move the import statement under import ipaddress
Our new template tag markdownify will handle escaping and also marking string safe so there is no need to have it in template again.
This fix doesnt seems to break design on other places in our app.
We shall let users know that they can use markdown so I have updated the field note. When there is focus on the text area field it gets larger so is is easier to edit the text.
etc/requirements-both.txt
Outdated
| @@ -13,3 +13,4 @@ simplejson==3.11.1 | |||
| frozendict==1.2 | |||
| requests==2.13.0 | |||
| esdc-api==2.0.1 | |||
| Markdown==2.6.8 | |||
There was a problem hiding this comment.
Are you sure that this should go to "requirements-both" and not to the "requirements-mgmt"?
gui/templatetags/gui_utils.py
Outdated
|
|
||
| try: | ||
| md = markdown.markdown(text) | ||
| except: |
There was a problem hiding this comment.
We want too broad exception here, as we don't know what can get wrong in the markdown library and we don't want to have broken page in case text formatting in template tag got wrong...
There was a problem hiding this comment.
Even in that case, you want to use "Exception" class, not everything (including SystemExit).
gui/templatetags/gui_utils.py
Outdated
| text = conditional_escape(text) | ||
|
|
||
| try: | ||
| md = markdown.markdown(text) |
There was a problem hiding this comment.
I would rename the md to something more meaningful
Due to renaming variable I have realized we cant have this bit of code more readable by minor refactoring.
gui/templatetags/gui_utils.py
Outdated
|
|
||
| try: | ||
| md = markdown.markdown(text) | ||
| except: |
There was a problem hiding this comment.
Even in that case, you want to use "Exception" class, not everything (including SystemExit).
Changed javascript from hardcoded sizes to use new class for large text area in modal window. Regenerated whole scss files to css we use.
Added new class for markdownify table as other changes were breaking design.
Updated template tag to be in one function and updated view details to have markhown class that can be styled if necessary...
Update list to have some style as default inherited style for list was none
Added css to format lists nicely even nested ones. Added extensions to understand tables and wrap code block.
This way we can escape html, and more importantly javascript in order
to prevent XSS, but have nice formatable notes.
Functionality added due to issue #98