Opened 9 years ago
Closed 9 years ago
#23937 closed Bug (wontfix)
Templates: control characters should be filtered out
| Reported by: | jogc | Owned by: | nobody |
|---|---|---|---|
| Component: | Template system | Version: | 1.6 |
| Severity: | Normal | Keywords: | control charcaters c0 codes templates |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
When rendering the value of variables, Django does automatic HTML escaping by default, but it does not filter out control characters that are invalid in HTML. It should.
Invalid C0 control characters are x00-x08, 0xB-x0C, x0E-x1F. At the very least x00 should be filtered out, since its invalid in every version of HTML/XHTML/XML.
Reproduce:
Put \x00 in a variable and expand it in a template, save the resulting html and upload it to W3s validator.
References:
http://en.wikipedia.org/wiki/Character_encodings_in_HTML#Illegal_characters
http://en.wikipedia.org/wiki/Valid_characters_in_XML
http://www.w3.org/TR/xml11/#charsets
http://www.i18nguy.com/test/controls.htm
Change History (3)
comment:1 by , 9 years ago
comment:2 by , 9 years ago
I don't think it's a good idea to make Django filter any characters by default. If you have data that you want to filter, I suggest you write either a template filter or template tag, depending on your needs.
I'd go with a won't fix here.
comment:3 by , 9 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
That was my thought as well. I'll close the ticket for now until the reporter provides additional information.
Django templates may be used to render more than HTML, XHTML, and XML. I am not sure if control characters would ever have a use in other contexts. Do other web frameworks automatically remove control characters? Maybe you could also elaborate a bit on how control characters got into your data in the first place as it's not a common problem I've seen. Thanks!