I have a form with a jwysiwyg editor. Looking at it, it can use

Question

0

Asked: May 22, 20262026-05-22T01:55:41+00:00 2026-05-22T01:55:41+00:00

I have a form with a jwysiwyg editor. Looking at it, it can use

0

I have a form with a jwysiwyg editor. Looking at it, it can use basic-formatting html tags using the formatting buttons like SO’s. Upon submitting the form, I notice its saved into the database as-is, whereas if I enter stuff like <iframe> ... </iframe> into the editor I notice that it is html-encoded inside the table.

Now, when I need to output whatever the user has submitted, can I safely use {{ output|safe }} to display the formatted text?

Is this reasonably secure enough or how should I rectify?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-22T01:55:41+00:00

Editorial Team

2026-05-22T01:55:41+00:00Added an answer on May 22, 2026 at 1:55 am

Use the safe filter only if you html-escape the data first. Otherwise you should use escape. If you want your users to be able to input data with html tags you could try to sanitize the input to prevent users from using <iframe>, <script>, etc, but allow other tags to be white-listed, and then mark it as safe.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I have a form with a jwysiwyg editor. Looking at it, it can use

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply