search

lqez / django-summernote

Simply integrate Summernote editor with Django project.
MIT License
1.05k stars 227 forks source link

Why my src attribute ignored? #485

Open 10cheon00 opened 2 years ago

10cheon00 commented 2 years ago

I installed django-summernote and followed all setup, however when I upload image and post it with text, img tag doesn't have src attribute.

In db table, result is appeared like this, 

 id |                 text
----+-------------------------------
  1 | <p>This is image.</p><p><br></p><img style="">

I try to find solution. The reason was discovered in SummernoteTextFormField. When field saves data, field will run bleach.clean(). bleach will remove html tags, attributes, other things by settings what specified in settings.py So I open settings.py and found that there is no src attribute. After I wrote src in ATTRIBUTES, uploading image is successfully works.

 id |                                                               text                                                                
----+-----------------------------------------------------------------------------------------------------------------------------------
  1 |<p>This is image.</p><p><br></p><img src="http://127.0.0.1:8000/media/django-summernote/2022-10-07/b11642da-88a4-41c1-b509-b94a49371ad1.png" style="">

I think this isn't good solution to avoid XSS. There must be reason why src attributes doesn't exist in settings.ATTRIBUTES.

Before solve this problem, I got unexpected keyword argument error, #477. So I installed bleach-4.1.0. Is this cause above error?

update: I solved this problem with below codes in project settings.py.

from django_summernote.settings import ATTRIBUTES

ATTRIBUTES["*"] += ["src",]