id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
6948	Join filter string literal escaped, docs say it shouldn't	dougvanhorn@…	Malcolm Tredinnick	"Per the [http://www.djangoproject.com/documentation/templates/#string-literals-and-automatic-escaping template documentation], string literal arguments are inserted into a template without being escaped, e.g.,:

{{{
{{ foo|default:""&amp;"" }}
}}}

renders:

{{{
&amp;
}}}

and not:

{{{
&amp;amp;
}}}

But when I do:

{{{
{{ foo_list|join:"" &amp; "" }}
}}}

I get the HTML:

{{{
1 &amp;amp; 2 &amp;amp; 3
}}}

instead of:

{{{
1 &amp; 2 &amp; 3
}}}

 In other words, the string literal supplied to the join filter is escaped, where the docs imply [http://www.djangoproject.com/documentation/templates/#string-literals-and-automatic-escaping otherwise], or at least aren't quite clear IMHO.

I've provided a patch that fixes the problem with the join filter that conditionally escapes the user data but leaves the string literal unescaped.
"		closed	Template system	dev		fixed	join filter stringliteral		Design decision needed	1	0	0	0	0	0