Why is the html markup stored in the database displayed on the site in plain text?

D

doktorfish00782021-01-18 12:19:44

HTML

doktorfish0078, 2021-01-18 12:19:44

There is a page with a textarea and a submit button, the user enters what is needed there and sends it. This is stored in the sqlite database.
In particular, I am now trying to implement something similar to the editor of qna.habr itself for questions, so that there are buttons to make the text bold , for example, using tags.

Form screenshot with textarea and html

<body>
    <div class="container">
        <h1 class="mb-4">Создание билета</h1>
        <form method="POST" enctype="multipart/form-data">
            <div class="form-group">
                <div class="field_content">
                    <div class="wysiwyg">
                        <div class="icons_bar">
                            <a href="#" class="icons_bar_item_control none_decor_link" onclick=
                            'document.querySelector("textarea[name=text]").value+="<b></b>"'><b>B</b></a>

                            <a href="#" class="icons_bar_item_control none_decor_link" onclick=
                            'document.querySelector("textarea[name=text]").value+="<i></i>"'><i>I</i></a>

                            <a href="#" class="icons_bar_item_control none_decor_link" onclick=
                            'document.querySelector("textarea[name=text]").value+="<ol>\n\t<li></li>\n</ol>"'>O</a>

                            <a href="#" class="icons_bar_item_control none_decor_link" onclick=
                            'document.querySelector("textarea[name=text]").value+="<spoiler title=""></spoiler>"'>S</a>
                        </div>
                    </div>
                </div>
                <textarea class="form-control br-0 mh-350 dark_theme_input" name="text"></textarea>
            </div>
            <button type="submit" class="btn btn-primary">Создать билет</button>
        </form>
    </div>
</body>

And then actually on another page all the "themes" created by the user are displayed.

Screen display

But damn, the tags don't.... how do you say? Not converted, not converted, they are just like text.
I googled, found something about html_entity_decode, unescape, escape. Tried something, but nothing comes out. I can't understand why the tags just come out as text.
Here is the html of the main page, where topics from the database are displayed

html of the main page

<body>
  <div class="container">		
    <h3>Билеты</h3> 
    {% for t in tickets %}
    <div class="row">
      <div class="ticket">
        <div class="second_ans br">{{ t.text }}</div>
        <a class="btn btn-info disabled" href="recording/{{ t.id }}">Редактировать</a>
        <a class="btn btn-danger disabled" href="delete/{{ t.id }}">Удалить</a>
      </div>
    </div>
    {% endfor %}
  </div>
</body>

How is it stored in the database?

Let me sum it up again. I need, for example, <b>asdas</b> to be displayed on the main page as asdas , and other tags ala italic, spoiler also work)
Tell the young one please, I'm breaking my head for the second day, I can't understand. I asked a friend if he made a decent site, he throws up his hands, he says it is stored in the database in the same way as everything is for me, but it works.

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

P

PrAw, 2021-01-18
@doktorfish0078

Autoescaping - automatically converts HTML to text.
https://flask.palletsprojects.com/en/1.1.x/templating/
Do it in a template with a filter: {{ t.text|safe }}
and you risk getting XSS in the future if you allow anyone to push any HTML code into the database :)