Adding a CMS to Your Flask Web App Transcripts
Chapter: The pages (our WordPress)
Lecture: Rendering real page content

Login or purchase this course to watch this video and the rest of the course contents.
0:00 so you can see that our page looks really good. It completely adopts a navigation. I could even log in and go back over here
0:11 and I can see it respects whether or not I'm logged in exactly as we described at the top of the chapter.
0:17 This is great. However, I've been sort of skirting around one of the issues that were going to run into here, and it's time to address it.
0:26 And that is the fact that there's no riel true content specified in the CMS For this page. What we have is just plain text.
0:33 If we go to another page like this one that had HTML in there. Move, boy, What is this? What is going on here? This is this is not ideal.
0:45 Here's a hyperlink. I can't click it. Obviously, there's no format. So what's happening?
0:51 Well, this is Jinja to trying to make sure that we don't get hacked. What? What do we mean by that?
0:57 Imagine we're running a forum like stack overflow or something like that. People users can come create account,
1:03 and then they can type in content that will then be shown back to other users If they type something like, Did you know you can donate to the PSF?
1:12 Here's a link that's great. But if they type slash script, here's some evil JavaScript or other types of militias.
1:19 HTML. And it were to just show it back unmodified. If we let them type anything in here,
1:25 they could basically do cross site scripting and other types of attacks against all of our
1:30 users and take over the page and redirect people to weird places all sorts of stuff we don't want. So by default,
1:38 Jinja will not show raw HTML and knows that that's a pretty bad idea. But in this case, remember the point of allowing people to type and content here
1:49 We got to think of who is going to be typing that content. It's not random user off of the Internet.
1:56 It's somebody at our company, somebody that already controls the website and admin user where they come over here. Well,
2:03 we're not quite there yet where they go over that section and they can type into there, and they can specify what goes here,
2:10 right? So in that restricted case, this is safe. All right, what are employees? Air typing should be safe.
2:17 If we don't trust people to not hack our own website, they shouldn't be working for us. So over here the fix is simple.
2:25 The motivation and the idea is really important that you get it. Because if you put this kind of statement onto user generated content,
2:32 you're just waiting to be hacked her like, have your users be attacked by the person who typed in.
2:38 But in this particular case, because we trust this input, it's fine. The fix as simple it is to say no, no, no, This is safe.
2:47 Please don't each TML encode it. Just drop it on the page. We just save and refresh. But ah,
2:55 there we go Now how we can donate to the PSF And if we click on the link Yep, We're actually over there donating.
3:01 So now we've got our cool interaction happening, just like we'd expect right now, our CMS page in our data driven page,
3:11 they look basically indistinguishable, right? And that's what we want. We don't want users to go. Here's the weird, funky CMS side of our site.
3:18 And here's the rial side of our site.


Talk Python's Mastodon Michael Kennedy's Mastodon