Opened 16 years ago
Last modified 13 years ago
#10912 closed
Autoescaping variable input in template tags — at Version 2
| Reported by: | Andrew Badr | Owned by: | Andrew Badr |
|---|---|---|---|
| Component: | Template system | Version: | 1.0 |
| Severity: | Release blocker | Keywords: | |
| Cc: | Malcolm Tredinnick | Triage Stage: | Design decision needed |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | yes |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
(revised description)
When variables are used as input to template tags, we should handle autoescaping a bit better.
Original description was even shorter:
I'd expect firstof to escape variables.
Change History (3)
by , 16 years ago
| Attachment: | firstof_autoescape_t10912_r10630.diff added |
|---|
comment:1 by , 16 years ago
My expected behavior for Django is: The results of all template tags should be escaped unless marked safe. For builtin templatetags that return safe strings, this should include escaping any variables involved in rendering that template tag.
The included patch solves locally what I see as part of a bigger problem.
comment:2 by , 16 years ago
| Cc: | added |
|---|---|
| Description: | modified (diff) |
| Patch needs improvement: | set |
| Summary: | firstof template tag should autoescape variables → Autoescaping variable input in template tags |
| Triage Stage: | Unreviewed → Accepted |
Hmm. This is a bit of a slight change in policy, but not necessarily a bad one (right now, intentionally, only filters autoescape). However,
- Import
_render_change_in_context()smells and not of roses. Needs to be renamed or not imported or something. That leading underscore is a big clue. - We need something similar to the
autoescapeparameter that is passed to filters, so that template tags do not autoescape results when they are being used inside a block that does not do auto-escaping.
I guess template tags know whether they're putting the results into the context -- which means the output shouldn't be autoescaped, since it will be autoescaped on output and you don't know at template tag usage time whether output will involve auto-escaping or not, so it must be delayed until rendering -- or directly displaying the results? I suspect so, but that's something to think about and confirm.
What are the backwards compatibility issues here? In particular, right now, a template tag doesn't have to care about calling mark_safe() on the result, since it just inserts it into the template. If you add the auto-escaping behaviour at the wrong place, you'll undo that and a lot of existing template tags will break. That's going to be a little fiddly to work around.
I'm unenthusiastic about fixing just this single tag, since it does change the currently consistent behaviour across all template tags. I'm more enthusiastic about addressing the general issue, but it's a lot more tricky. I'm really enthusiastic about you doing it, Andrew, since I know you guys work in the template space a lot, so the results will have some validity and it means I don't have to work on this (that latter point is important to me; maybe less so to you).
Fix, with test