Opened 8 years ago

Closed 7 years ago

Last modified 5 years ago

#10369 closed (fixed)

{% trans %} and {% blocktrans %} breaking auto escape

Reported by: Briel <toppertc@…> Owned by: nobody
Component: Internationalization Version: 1.0
Severity: Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:


There is an issue with the {% trans %} and {% blocktrans %} breaking the auto escape of variables displayed in them.

If myvar is defined in the template these two examples will not escape the myvar:
{% trans myvar %}
{% blocktrans %}this is {{ myvar }}{% endblocktrans %}

However, if you use the "with" command with the blocktrans, auto escaping wont be lost:
{% blocktrans with myvar as myvar %}this is {{ myvar }}{% endblocktrans %}

Attachments (2)

i18n_autoescape_t10369_r10178.diff (4.1 KB) - added by andrewbadr 7 years ago.
Fix with tests
i18n_autoescape_t10369_r10178.2.diff (4.1 KB) - added by andrewbadr 7 years ago.

Download all attachments as: .zip

Change History (8)

comment:1 Changed 8 years ago by jacob

  • milestone set to 1.1
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Accepted

comment:2 Changed 7 years ago by andrewbadr

  • Owner changed from nobody to andrewbadr

Changed 7 years ago by andrewbadr

Fix with tests

comment:3 Changed 7 years ago by andrewbadr

  • Has patch set

Variables aren't getting escaped in the trans and blocktrans template tags because, unlike other template tags, they render their own contents. For blocktrans, one solution would be to save a VariableNode for each variable token in the parser, then render them all before the string interpolation. That seemed complicated, so I implemented the solution in this patch, at the cost of a new module-level function in django.template.

Changed 7 years ago by andrewbadr

comment:4 Changed 7 years ago by andrewbadr

  • Owner changed from andrewbadr to nobody

Added underscores to mark the function private. I've tried to come up with a way to do this using classes and inheritence but couldn't come up with anything sensible. The Node class already has a render method with a different signature. If "add some underscores and call it a day" is good enough, then I guess the patch is ready, otherwise someone else should take a look.

comment:5 Changed 7 years ago by mtredinnick

  • Resolution set to fixed
  • Status changed from new to closed

(In [10519]) Fixed #10369 -- Fixed auto-escaping inside "tran" and "blocktrans" tags.

Patch from Andrew Badr.

comment:6 Changed 5 years ago by jacob

  • milestone 1.1 deleted

Milestone 1.1 deleted

Note: See TracTickets for help on using tickets.
Back to Top