Adding a CMS to Your Flask Web App Transcripts
Chapter: The pages (our WordPress)
Lecture: Rendering real page content
Login or
purchase this course
to watch this video and the rest of the course contents.
0:00
so you can see that our page looks really good. It completely adopts a navigation. I could even log in and go back over here
0:11
and I can see it respects whether or not I'm logged in exactly as we described at the top of the chapter.
0:17
This is great. However, I've been sort of skirting around one of the issues that were going to run into here, and it's time to address it.
0:26
And that is the fact that there's no riel true content specified in the CMS For this page. What we have is just plain text.
0:33
If we go to another page like this one that had HTML in there. Move, boy, What is this? What is going on here? This is this is not ideal.
0:45
Here's a hyperlink. I can't click it. Obviously, there's no format. So what's happening?
0:51
Well, this is Ginger to trying to make sure that we don't get hacked. What? What do we mean by that?
0:57
Imagine we're running a forum like stack overflow or something like that. People users can come create account,
1:03
and then they can type in content that will then be shown back to other users If they type something like, Did you know you can donate to the PSF?
1:12
Here's a link that's great. But if they type slash script, here's some evil JavaScript or other types of militias.
1:19
HTML. And it were to just show it back unmodified. If we let them type anything in here,
1:25
they could basically do cross site scripting and other types of attacks against all of our
1:30
users and take over the page and redirect people to weird places all sorts of stuff we don't want. So by default,
1:38
Ginger will not show raw HTML and knows that that's a pretty bad idea. But in this case, remember the point of allowing people to type and content here
1:49
We got to think of who is going to be typing that content. It's not random user off of the Internet.
1:56
It's somebody at our company, somebody that already controls the website and admin user where they come over here. Well,
2:03
we're not quite there yet where they go over that section and they can type into there, and they can specify what goes here,
2:10
right? So in that restricted case, this is safe. All right, what are employees? Air typing should be safe.
2:17
If we don't trust people to not hack our own website, they shouldn't be working for us. So over here the fix is simple.
2:25
The motivation and the idea is really important that you get it. Because if you put this kind of statement onto user generated content,
2:32
you're just waiting to be hacked her like, have your users be attacked by the person who typed in.
2:38
But in this particular case, because we trust this input, it's fine. The fix as simple it is to say no, no, no, This is safe.
2:47
Please don't each TML encode it. Just drop it on the page. We just save and refresh. But ah,
2:55
there we go Now how we can donate to the PSF And if we click on the link Yep, We're actually over there donating.
3:01
So now we've got our cool interaction happening, just like we'd expect right now, our CMS page in our data driven page,
3:11
they look basically indistinguishable, right? And that's what we want. We don't want users to go. Here's the weird, funky CMS side of our site.
3:18
And here's the rial side of our site.