Opened 6 years ago

Closed 6 years ago

#11170 closed (worksforme)

Safe filter closes an open html tag in some cases

Reported by: ckopec Owned by: nobody
Component: Uncategorized Version:
Severity: Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

I believe this is a bug, if it's expected or just my error I'm sorry for the inconvenience.

It seems that the safe filter in some cases closes an open tag before inserting the text being filtered.

What I mean is as follows:

Let's say comment.html contains the following:

<p>This is some text <strong>Bold text</strong>!</p>
<p>More filler</p>

In my template I have:

<p class="comment-text">
    {{ comment.html|safe }}
</p>

When the page is generated I get this for html.

<p class="comment-text"></p>
<p>This is some text <strong>Bold text</strong>!</p>
<p>More filler</p>

See how the first p tag is closed prior to the comment.html contents.

Now if I change the wrapping p tag to a span I get a different outcome.

<span class="comment-text">
    <p>This is some text <strong>Bold text</strong>!</p>
    <p>More filler</p>
</span>

In this case the span tag wraps the comment.html contents.

Change History (1)

comment:1 Changed 6 years ago by kmtracey

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to worksforme
  • Status changed from new to closed

I cannot recreate this. Using this code:

from django.shortcuts import render_to_response

class Comment(object):
   def __init__(self, s):
      self.html = s

def testit(request):
    c = Comment("""<p>This is some text <strong>Bold text</strong>!</p>
 <p>More filler</p>""")
    return render_to_response('comment.html', {'comment': c})           

and this comment.html file:

 <p class="comment-text">
    {{ comment.html|safe }}
 </p>

I get this rendered html:

<p class="comment-text">
    <p>This is some text <strong>Bold text</strong>!</p>
 <p>More filler</p>
 </p>

That's with a relatively recent trunk but safe hasn't changed in ages and anyway I can't envision any way it could ever be arbitrarily inserting close tags -- it doesn't have any context to know what tags are open at the time it is called, it just has the value of the text it is supposed to filter.

There's got to be more to the problem you are seeing. Please try the code I've included and see if behaves properly for you. If so, you can start investigating the differences between what your code does exactly and this simple example. If not, please post more specifics on what version of Django you are running, etc.

Note: See TracTickets for help on using tickets.
Back to Top