I’m trying to print out HTML generated for user-submitter markdown , by {{=markdown(post.message)}} where

Question

0

Asked: May 31, 20262026-05-31T06:50:07+00:00 2026-05-31T06:50:07+00:00

I’m trying to print out HTML generated for user-submitter markdown , by {{=markdown(post.message)}} where

0

I’m trying to print out HTML generated for user-submitter markdown, by

{{=markdown(post.message)}}

where markdown function is imported through

from gluon.contrib.markdown.markdown2 import markdown

We2Py seems to automatically encode HTML-Entities, so every < is converted into < and every > is converted into >. How do I prevent this from happening?

Are there any security concerns that I’ll need to keep in mind while doing so? Also, could anyone kindly tell me how can I strip the HTML when storing it in the database, while retaining the markdown?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-31T06:50:08+00:00

You have to do this:

{{=XML(markdown(post.message))}}

every string is sanitized by template render, if you pass "<div>" it will be rendered as "<div>" it is to protect against malicious code.

When you pass a string to XML helper XML("<div>") it uses an XML parser to render the string in to an XML tree structure,XML has a method .xml() which returns the unescaped string to the response.body so the user’s browser have the correct html.

you can control some parameters of XML rendering.

:param text: the XML text
:param sanitize: sanitize text using the permitted tags and allowed attributes (default False)
:param permitted_tags: list of permitted tags (default: simple list of tags)
:param allowed_attributes: dictionary of allowed attributed

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I’m trying to print out HTML generated for user-submitter markdown , by {{=markdown(post.message)}} where

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply