Django

Code

Ticket #5945 (closed: fixed)

Opened 1 year ago

Last modified 1 year ago

String constants in filters and variable tags should be marked safe

Reported by: SmileyChris Assigned to: nobody
Milestone: Component: Template system
Version: SVN Keywords: auto-escaping
Cc: Triage Stage: Design decision needed
Has patch: 1 Needs documentation: 0
Needs tests: 1 Patch needs improvement: 0

Description

Since string constants are directly within the realm of the template author, they shouldn't be touched by auto-escaping.

Examples: 

{{ "<p>don't touch me</p>" }}
{{ caption|default:"<em>No caption</em>" }}

Attachments

safe_constants.diff (0.9 kB) - added by SmileyChris on 11/14/07 19:57:24.

Change History

11/14/07 19:57:24 changed by SmileyChris

  • attachment safe_constants.diff added.

11/14/07 20:02:04 changed by SmileyChris

  • needs_better_patch changed.
  • stage changed from Unreviewed to Design decision needed.
  • needs_tests set to 1.
  • needs_docs changed.

One consideration is that this will mark i18n "constant" translated strings, too. The template author doesn't see these directly, so I'm not sure if that is acceptable.

For example, {{ caption|default:_("what if I am dangerous?") }}.

11/15/07 02:08:34 changed by mir

I think your original report is right and template strings should be marked as safe (I am surprised they aren't!) The problem with translations is that the translator cannot mark a translation as safe, and if it's done in the template, the template author still has to trust the translator.

11/17/07 06:11:27 changed by mtredinnick

  • status changed from new to closed.
  • resolution set to fixed.

(In [6680]) Fixed #5945 -- Treat string literals in template filter arguments as safe strings for auto-escaping purposes.

Add/Change #5945 (String constants in filters and variable tags should be marked safe)




Change Properties
Action