Django

Code

Ticket #2984 (closed: duplicate)

Opened 2 years ago

Last modified 2 years ago

allow to specify automatic HTML escaping for templates

Reported by: Bastian Kleineidam <calvin@debian.org> Assigned to: adrian
Milestone: Component: Template system
Version: Keywords:
Cc: Triage Stage: Unreviewed
Has patch: 0 Needs documentation: 0
Needs tests: 0 Patch needs improvement: 0

Description

Hello,

the current templating mechanism is a little error prone when it comes to HTML: suppose the following template 

<h1> {{title}} </h1>

If the title value is controllable by the user, we have a security fault in the application, since the value can have HTML tags, possibly with javascript.

The correct template must be: 

<h1> {{title|escape}} </h1>

Now, it is very tiresome to always remember to escape all those variables. It would be _very_ nice to have a default setting when rendering the template to always escape variable values unless noted otherwise. I have created a patch for that, which I will attach here tomorrow. It allows an optional keyword argument "html=True" for Template objects. To print out a variable unescaped one has to use the raw filter like this: 

<h1> {{title|raw}} </h1>

Well, actually the "raw" filter is not a real filter, it is more like a flag telling the Template renderer to not HTML-quote the variable. A little hack, but it works :)

Attachments

Change History

11/06/06 13:39:12 changed by jacob

This is an ongoing topic we've not decided on a great solution for -- see AutoEscaping. Since you say you've got a patch I'll leave this open instead of marking duplicate, but please make sure you read the existing discussion first.

11/06/06 13:40:29 changed by adrian

  • status changed from new to closed.
  • resolution set to duplicate.

Duplicate of #2359. Also see the django-developers mailing list archives for much discussion on this topic.

Add/Change #2984 (allow to specify automatic HTML escaping for templates)




Change Properties
Action