Opened 18 years ago
Closed 18 years ago
#2984 closed enhancement (duplicate)
allow to specify automatic HTML escaping for templates
| Reported by: | Owned by: | Adrian Holovaty | |
|---|---|---|---|
| Component: | Template system | Version: | |
| Severity: | normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Hello,
the current templating mechanism is a little error prone when it comes to HTML: suppose the following template
<h1> {{title}} </h1>
If the title value is controllable by the user, we have a security fault in the application, since the value can have HTML tags, possibly with javascript.
The correct template must be:
<h1> {{title|escape}} </h1>
Now, it is very tiresome to always remember to escape all those variables. It would be _very_ nice to have a default setting when rendering the template to always escape variable values unless noted otherwise. I have created a patch for that, which I will attach here tomorrow. It allows an optional keyword argument "html=True" for Template objects. To print out a variable unescaped one has to use the raw filter like this:
<h1> {{title|raw}} </h1>
Well, actually the "raw" filter is not a real filter, it is more like a flag telling the Template renderer to not HTML-quote the variable. A little hack, but it works :)
Change History (2)
comment:1 by , 18 years ago
comment:2 by , 18 years ago
| Resolution: | → duplicate |
|---|---|
| Status: | new → closed |
Duplicate of #2359. Also see the django-developers mailing list archives for much discussion on this topic.
This is an ongoing topic we've not decided on a great solution for -- see AutoEscaping. Since you say you've got a patch I'll leave this open instead of marking duplicate, but please make sure you read the existing discussion first.