Django

Code

Ticket #10369 (closed: fixed)

Opened 1 year ago

Last modified 1 year ago

{% trans %} and {% blocktrans %} breaking auto escape

Reported by: Briel <toppertc@gmail.com> Assigned to: nobody
Milestone: 1.1 Component: Internationalization
Version: 1.0 Keywords:
Cc: Triage Stage: Accepted
Has patch: 1 Needs documentation: 0
Needs tests: 0 Patch needs improvement: 0

Description

There is an issue with the {% trans %} and {% blocktrans %} breaking the auto escape of variables displayed in them.

If myvar is defined in the template these two examples will not escape the myvar:
{% trans myvar %}
{% blocktrans %}this is {{ myvar }}{% endblocktrans %}

However, if you use the "with" command with the blocktrans, auto escaping wont be lost:
{% blocktrans with myvar as myvar %}this is {{ myvar }}{% endblocktrans %}

Attachments

i18n_autoescape_t10369_r10178.diff (4.1 kB) - added by andrewbadr on 03/29/09 21:30:21.
Fix with tests
i18n_autoescape_t10369_r10178.2.diff (4.1 kB) - added by andrewbadr on 04/02/09 13:11:11.

Change History

02/28/09 13:12:27 changed by jacob

  • needs_better_patch changed.
  • needs_docs changed.
  • stage changed from Unreviewed to Accepted.
  • needs_tests changed.
  • milestone set to 1.1.

03/28/09 13:42:02 changed by andrewbadr

  • owner changed from nobody to andrewbadr.

03/29/09 21:30:21 changed by andrewbadr

  • attachment i18n_autoescape_t10369_r10178.diff added.

Fix with tests

03/29/09 22:05:25 changed by andrewbadr

  • has_patch set to 1.

Variables aren't getting escaped in the trans and blocktrans template tags because, unlike other template tags, they render their own contents. For blocktrans, one solution would be to save a VariableNode? for each variable token in the parser, then render them all before the string interpolation. That seemed complicated, so I implemented the solution in this patch, at the cost of a new module-level function in django.template.

04/02/09 13:11:11 changed by andrewbadr

  • attachment i18n_autoescape_t10369_r10178.2.diff added.

04/02/09 13:14:57 changed by andrewbadr

  • owner changed from andrewbadr to nobody.

Added underscores to mark the function private. I've tried to come up with a way to do this using classes and inheritence but couldn't come up with anything sensible. The Node class already has a render method with a different signature. If "add some underscores and call it a day" is good enough, then I guess the patch is ready, otherwise someone else should take a look.

04/11/09 07:03:55 changed by mtredinnick

  • status changed from new to closed.
  • resolution set to fixed.

(In [10519]) Fixed #10369 -- Fixed auto-escaping inside "tran" and "blocktrans" tags.

Patch from Andrew Badr.

Add/Change #10369 ({% trans %} and {% blocktrans %} breaking auto escape)




Change Properties
Action