CKEditor - turn off autoescaping judiciously for Javascript?

Another problem with CKEditor is that you have to turn off auto escaping in your template for it to display the HTML it has generated.

  {{article.intro|safe}}

However, you can then embed JavaScript directly into the fields of your model in HTML, which obviously isn’t ideal.

Any suggestions to overcome these problems? I’m starting to get cold feet on CKEditor. I like it, just don’t think it’s quite there yet.

I assume other people are using CKEditor in live apps, and wondering how they are overcoming these hurdles?

Yes - I do not trust my users to not inject Javascript into their blog-posts. I would, probably.

That’s an issue with all editors generating HTML. You should post-process the HTML on the serverside to ensure that script tags etc. are removed from the source. There are various solutions for this:

• https://pypi.org/project/html-sanitizer/ (that’s my solution, and it’s very opinionated)
• https://github.com/mozilla/bleach
• html-sanitizer uses lxml.html.clean.Cleaner under the hood; this can also be used directly and works well too https://lxml.de/api/lxml.html.clean.Cleaner-class.html

There are other solutions of course.

Thanks, your project looks very promising. I notice you do a CMS, too. Looks very interesting. I’ll be checking it out shortly. I might need to use a Django based CMS soon.