HTML-Form in Pico CMS won't show (autoescape issue?)

Hey, i have nextcloud and pico cms running on a vps in a docker container. i’m a noob to all of this, so please bear with me.

Now i want to put html-POST forms into pico-cms pages. Access to these forms needs to be restricted to a usergroup, thats why pico-cms seems perfect for this purpose.
Unfortunately, simply putting the HTML code into the markdownfile doesn’t work. So i thought, that twig might be the issue here and i tried this:
{% autoescape false %}
form

/form
{% endautoescape %}
But that doesn’t work either, the form isn’t shown, when accessing the page. Only text within it.

My question is, is it at all possible to use pico cms for my purpose? I have no experience with accessing a docker container file system and before i try that to try changing the pico settingsfile, i’d like to know if there is even a chance of making this work.
Thanks and greetings

You can’t use HTML forms in Markdown files with Pico CMS for Nextcloud for security reasons. However, you can still use Twig. Just keep in mind that Markdown is for contents and Twig for theming, so putting Twig markup in your Markdown files won’t work. You’ll have to create a custom theme with the appropriate HTML forms and create a website using this custom theme.

okay, thanks alot, i will look into that :slight_smile:

And simple HTML (inline HTML), do you know it PicoCMS parses it ? Is it necessary to configure anything on pico or nextcloud config files ?

Thanks

It should parse HTML. It is very simple and efficient to use.
Have a look here https://korskyrkan-intra.dedyn.io/s/j6q9axS7Z8YYxXN
This is the manual which foillows with the default theme.
I think you should install PicoCMS and found out if it suits you.

Thanks for you reply. I probably have something wrong on config files probably, because the HTML code is displayer as text. On the md files editing with the nextcloud default app I edit the index.md file that is within the picoCMS website and it is displayed as text, it does not process the tags :frowning:

on the .twig file I can write HTML an it is processed, but on the md file itself it is not processes, a simple < b > Hello World < / b > is displayed as text.

Do you have to config something on picoCMS or Nextcloud ?

many thanks

You need to write <b> Hello World </b> Not < b > Hello World < / b >

And it will be parsed correctly. Check out my previous link

R

Den tisdag 5 maj 2020 13:35:45 CEST, Nuno Gonçalves via Nextcloud community noreply@nextcloud.com skrev:

Nuno_Goncalves

    May 5

Thanks for you reply. I probably have something wrong on config files probably, because the HTML code is displayer as text. On the md files editing with the nextcloud default app I edit the index.md file that is within the picoCMS website and it is displayed as text, it does not process the tags :frowning:

on the .twig file I can write HTML an it is processed, but on the md file itself it is not processes, a simple < b > Hello World < / b > is displayed as text.

Do you have to config something on picoCMS or Nextcloud ?

many thanks

HTML forms in Markdown files are stripped out by Pico CMS for Nextcloud due to security reasons. You must not allow users to use active content (like user-defined HTML forms), otherwise they could potentially take over your Nextcloud instance. However, if you need HTML forms (e.g. for a contact form) you can easily create a custom theme to incorporate the form you need. Any other non-active HTML (like <b>Hello World</b>) is passed through as-is.

I have a similar experience. And the documentation is none too clear here.

I have a sample .md file like this:

---
Title: Events Calendar
---

<b>Bold Test</b>

<a href="xxx">An HTML link</a>

<iframe width="400" height="215" src="https://mynextcloud.tld/index.php/apps/calendar/embed/kXwQ72R54o9d3aYP"></iframe>

End of File

And it all renders fine, the bold is bold, the link is a link, but the iframe is swallowed.

The real—
Title: Events Calendar

Bold Test

An HTML link

From this thread I’m surmising the Nextcloud PicoCMS strips it. I’m not overly happy with that as an explanation, repeatedly stated, for security reasons I admit, though I could live with it I guess if we had a clear doc online that explained what was filtered out and what not and above all where. As in is there a setting we can tweak, page specific, template specific, CMS wide? that permits some, or all HTML tags through?

I found for example in config.yml.template:

twig_config:                        # Twig template engine config
    autoescape: html                # Let Twig escape variables by default

But no documentation anywhere could I fund as to what values this config variable can take and what they do.

I could of course put this into the template and will try just that. The workaround probably being to set a meta tag in the page asking for an embedded calendar, and then the template renders it. I’ll experiment.

Thanks you @Bernd_Wechner
Your last message helped me a lot. I did a search on the keyword autoescape and I got this page : autoescape Tag | Django Template Tags and Filters

{% autoescape off %}
Variables in this block will not be escaped.
{% endautoescape %}

I could notice that strings with braces are never rendered. So I tested by adding “autoescape off” and html is rendered.

If I write Bold => my test is in bold now.
On my side, I wanted to put a video in my page, I can now with the video tag.

Example :

< video width=“640” height=“360” src="%assets_url%/v.mp4" controls="" autobuffer="">

I hope this will help some people. I will try later to limit the render for the video tag only