Add rendered preview in admin. Fixes: #325

[wolph]

As discussed in #325, this adds an easy to use preview in the admin:

[jrief]

Before fixing my code annotations, I'd rather rethink, if it doesn't make more sense to se a WYSIWYG-Editor straight ahead. This would be my preferred long term solution.

Thanks for your work, but this new feature must be approved by @selwin anyway. As I said, this shall only be a temporary solution.

[wolph]

The pull request definitely needs cleanup, but since I didn't get a reply in the original issue anymore I thought it would be good to create a pull request so it doesn't get lost :)

Personally I think that this addition is useful even if you would have a WYSIWYG editor. The renderings of those editors are almost always different from a regular render. It's not my call however, if the WYSIWYG editor is the preferred solution than I'll close the pull request and wait for that release.

With that in mind... a form to send out a test-mail would be very useful as well.

[selwin]

Having rendered HTML preview in admin would be great.

Aside from @jrief 's comments, please make sure that all JS are stripped to prevent XSS attacks.

[wolph]

Having rendered HTML preview in admin would be great.

Aside from @jrief 's comments, please make sure that all JS are stripped to prevent XSS attacks.

The easiest and safest way would be to sandbox the iframe, is that enough or should I also do a few search/replaces?
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox

[selwin]

@wolph we have https://bleach.readthedocs.io/ as optional dependency. We can use that to easily strip all JS.

[selwin]

I think we can even make bleach a required dependency @jrief . This rendered preview is a big quality of life improvement in my opinion.

[wolph]

I've cleaned up the commits and added the clean_html() call.

I should note that there is another similar attack vector in the code-base outside of this addition:

django-post_office/post_office/admin.py

Lines 179 to 182 in 5297f00

	def render_plaintext_body(self, instance):
	for message in instance.email_message().message().walk():
	if isinstance(message, SafeMIMEText) and message.get_content_type() == 'text/plain':
	return format_html('<pre>{}</pre>', message.get_payload())

And possibly this one:

django-post_office/post_office/admin.py

Lines 121 to 135 in 5297f00

	def shortened_subject(self, instance):
	if instance.template:
	template_cache_key = '_subject_template_' + str(instance.template_id)
	template = getattr(self, template_cache_key, None)
	if template is None:
	# cache compiled template to speed up rendering of list view
	template = Template(instance.template.subject)
	setattr(self, template_cache_key, template)
	subject = template.render(Context(instance.context))
	else:
	subject = instance.subject
	return Truncator(subject).chars(100)
	shortened_subject.short_description = _("Subject")
	shortened_subject.admin_order_field = 'subject'

[selwin]

Why are we adding a new field to the model? Adding a preview to admin shouldn't necessitate adding a new field.

[wolph]

I think the variable name is self explanatory, but it's to add a context to the rendered preview so all variables can be rendered with a useful value.

[selwin]

Can you move this dedicated preview functionality to a new view?

[selwin]

@wolph gentle reminder to update this PR so we can merge this in.

[gabn88]

@wolph @selwin This sounds like a great feature that I might use right away in my project. I have been reading the code and the idea from the beginning. And it makes me ask myself, should we need an extra STATUS_CHOICES on the Email Model? Something like 'draft'? Or am I missing something?