Adding a CMS to Your Flask Web App Transcripts
Chapter: Course conclusion
Lecture: Review: Rendering page

Login or purchase this course to watch this video and the rest of the course contents.
0:00 once we've got a page back from the database, we've gone to our CMS request,
0:06 and we've determined that the virtual euro of the euro that maps to a virtual page exists in our database. We want to show it,
0:13 it turns out, after going through the markdown processing and stuff, which happens elsewhere, the actual display of it is super,
0:20 super easy. So here's the Jinja to template to make that happen. Like all of our templates, it derives or extends.
0:28 Shared slash, Underscore layout. HTML. That's how it has the same look and feel. It has that same navigation bar at the top.
0:36 It has things about whether you're logged in and so on. And then we have a few little blocks. Weekend fill in, weaken Set the title,
0:42 which is gonna be the HTML page title. That's what shows up with the tab in your Web browser. And then we're gonna show the content,
0:49 and all we have to do is come here and say the H one or the main title displayed on the pages page DOT Title, and then we're going to show the HTML.
0:59 And remember, if we just say put the H two melon here. What happens? It looks like HTML view source. Hided shows us the HTML in a safe way.
1:09 And that's Jinja to protecting you from users typing in bad stuff and then you showing
1:14 that do other users like in a forum instead of hyping a helpful answer?
1:18 A question. You might type some script vulnerability that's trying toe act the banks of the various other users that log into the site.
1:26 That would be bad right to in order to make it actually work here, we have to say pipe safe so HTML pipe safe and that will show it as
1:35 just raw structure in the site will put the HTML as it is into the page That's exactly what we want.
1:42 But it's also a dangerous problem if we let arbitrary users type in that HTML. So remember using safe here means you cannot do this trick.
1:51 You cannot use this feature for user generated content, because if you dio, it's just a matter of time.
1:58 Still, someone figures out that they can type arbitrary Dr A script in here and start hacking your users for whatever reason,
2:05 people hack people money because they're bored, whatever but you don't want to be involved in that right.
2:10 So because we're using safe here and we're using unsafe mode in the markdown conversion all
2:17 across the board, it's not eligible or is not a good idea at all to use this for user generated content.
2:23 But it's exactly what we want for people we trust to go log into the back


Talk Python's Mastodon Michael Kennedy's Mastodon