Skip to content. | Skip to navigation

Personal tools

>>> ''.join(word[:3].lower() for word in 'David Isaac Glick'.split())



You are here: Home

David Glick – Plone developer

by admin posted Apr 05, 2010 11:48 PM


by admin posted Jun 22, 2018 01:50 PM

After 5 years of working for myself as Glick Software and almost 15 years working on content management systems of one sort or another, it’s time to start something new. In a couple weeks I will be starting a job on the release operations team for, helping facilitate development of their tools for nonprofits.

I’m proud of the sites I’ve helped build for organizations like The Mountaineers, Washington Trails Association and High Country News, as well as research labs at Stanford and UC Berkeley. I’ve had the privilege to collaborate with fantastic friends and colleagues at Jazkarta and OddBird and in the Plone community. Leaving all of you is the hardest part of this transition.

At the same time I am looking forward to rejoining some former colleagues from my days at Groundwire, and getting to focus my efforts a bit more and work on new use cases while continuing to use Python and do collaborative open source software development for a good cause.

Plone folks, don’t worry. As you know, it’s never really possible to leave the community. I’m at the Beethoven Sprint in Bonn, Germany this week, and plan to continue to participate in the occasional sprint.

Simplify your TAL with these 2 weird tricks

by David Glick posted Nov 05, 2014 01:29 PM

Chameleon makes templating in Plone better.

I wanted to call attention to something Eric mentioned in his Plone Conference 2014 keynote.

If you're using the Chameleon template engine, you can interpolate variables like this:

<a href="${href}">${text}</a>

instead of the older, more cumbersome TAL syntax:

<a tal:attributes="href href" tal:content="text" />

I just discovered this myself a couple months ago. Hurray for more readable templates! (And thanks to Malthe Borch.) Chameleon is included by default in Plone 5, and can be installed as an add-on in Plone 4. (So feel free to use this in your own code, but don't use it yet in add-ons that are meant to be compatible with Plone 4).

While we're on the topic of Chameleon, let me share another trick I found recently. Sometimes I've got a template that renders a string, for example the status message for a form, and I want to add a link or some other HTML. But since there's an existing template which inserts the string without specifying the 'structure' flag, the string gets escaped and I can't inject HTML. Well, Chameleon is smart enough to check whether the variable being inserted has an __html__ method, and if so it will call it and insert the result without escaping. So we can define a class like this:

class Markup(object):
    def __init__(self, s):
        self.s = s

    def __html__(self):
        return s

and then we can just use an instance of that class where we used to use a plain string. Actually Chameleon provides a Markup class that is basically the same thing, so we can do this:

from chameleon.utils import Markup
form.status = Markup('<blink>Tada!</blink>')

Of course, remember that you are now responsible for escaping unsanitized user input yourself.

How to disable Plone's HTML filtering

by David Glick posted Jan 30, 2014 12:40 PM

It's a little tricky (and often not wise) to disable Plone's HTML filters, but here's how.

A common complaint about content editing in Plone is that it is too strict about filtering out certain HTML. There is a good reason for its strictness: since some HTML tags can be used to inject unsafe content (such as cross-site scripting (XSS)) and since many Plone sites allow content editing by untrusted users, these HTML tags are disallowed by default as a security precaution.

But sometimes security is less important that being able to insert any markup. A client recently came to me with this situation:

  • It’s a news site that commonly wants to embed iframes, video, and scripts.
  • The only users with access to edit HTML are trusted editorial staff.
  • There are no other, untrusted sites on the same domain or Zope instance.
Sounds like a good candidate for turning off the filtering!

Step 1: Turn off Plone’s safe_html transform. Go to /portal_transforms/safe_html in the ZMI, and enter a 1 in the ‘disable_transform’ box. This prevents Plone from removing tags and attributes while rendering rich text.

That used to be all that was necessary to turn off filtering. But these days TinyMCE also filters HTML on the client side, using configuration based on the safe_html transform’s settings, and unfortunately it doesn’t pay attention to the ‘disable_transform’ flag. Luckily we can get around that…

Step 2: Monkey-patch the TinyMCE utility to return a wildcard when determining the allowed tags and attributes:

from Products.TinyMCE.utility import TinyMCE
TinyMCE.getValidElements = lambda self: {'*': ['*']}

Now you can edit a page, open TinyMCE’s HTML dialog, enter whatever you want, save, and it will get saved to the database and be shown on subsequent views of the page. However, if you’re using Safari, Chrome, and IE, some unsafe markup will still not show up on the initial view of the page right after saving. Why not?

These browsers provide automatic reflexive XSS protection. That means that if they detect the same potentially unsafe markup in both a request and its response, they’ll block or ignore it. It’s normally a pretty nice security precaution, but in this case it’s cramping our style. Fortunately these browsers also provide a way for a site to opt out of the protection using an HTTP response header.

Step 3: Set the "X-XSS-Protection: 0" response header. This can be done in your frontend webserver such as apache or nginx. In my case, though, I figured I only need to disable the protection for users who have permission to edit, so I added this to the site’s main_template:

tal:define="dummy python:checkPermission('Modify portal content', context) and request.RESPONSE.setHeader('X-XSS-Protection', '0');"

Et voilà. No more filtering, and the editorial staff can enter whatever markup they dream up.

P.S. If someone wants to fix TinyMCE to pay attention to safe_html's disable_transform flag, that'd be nice!

Update 2014-02-03:Thanks to Nathan van Gheem who just fixed Products.TinyMCE to pay attention to the disable_transform flag from safe_html. Once that fix is released, only steps 1 and 3 will be necessary.

David Glick

David Glick

I am a problem solver trying to make websites easier to build.

Currently I do this in my spare time as a member of the Plone core team, and during the day as an independent web developer specializing in Plone and custom Python web applications.