0

This:

<embed type="text/html" src="https://example.com/" width="100%" height="100%">

gets converted into this (when rendered on the page):

<p> &lt;embed type="text/html" src="https://example.com/" width="100%" height="100%"&gt; </p>

making the embed tag unusable. Is there are any way to stop this from happening? The same happens when you use an iframe tag. I expect the page "example.com" to be rendered.

I'm using Django for the project and have the following displaying the Markdown:

{{ page.text | escape | markdown | safe }}

with page.text being the variable holding the text.

The version of Markdown I'm using is 3.2.

Improve this question
5
  • 1
    It works just fine for me, both using the command-line interface and the programmatic interface. Please edit your question to show us how you're trying to convert the file. Commented Jun 18, 2020 at 23:45
  • @Chris I've now edited the question to include code which displays the markdown, however, there isn't anything more to add. Django is the framework being using for the system and the extra code added is what displays the information Commented Jun 19, 2020 at 1:07
  • Ah, you didn't mention Django before. What value does page.text have? Is it that whole embed tag? Why are you using the escape filter? Its whole point is to escape HTML, e.g. to convert < to &lt;, which doesn't make much sense if you're then using the safe filter. Commented Jun 19, 2020 at 1:14
  • If this question gets reopened I'll add a proper answer, but this ☝️ is the issue. Commented Jun 19, 2020 at 1:16
  • @Chris That's the answer, thanks Commented Jun 19, 2020 at 1:23

1 Answer 1

Reset to default
0

I'm using Django for the project and have the following displaying the Markdown:

{{ page.text | escape | markdown | safe }}

Assuming page.text contains the <embed> you show in your question, your problem is your use of the escape filter.

Its job is to escape HTML code, which includes converting < to &lt; and > to &gt; as you are seeing. Once that conversion has been made, neither the markdown nor the safe filter will change it back.

It doesn't make a lot of sense to use escape and then safe, as safe simply prevents autoescaping.

The right solution depends on the source of your page.text. If you trust that source, you can take escape out of your template. Note that this does open the door for security issues from malicious users or accidental misuse, e.g. by cross-site scripting.

If you don't trust the source, you have two main options:

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.