#1270 closed defect (fixed)
[patch] Escape filter does not escape single quotes to '
Reported by: | beegee | Owned by: | Adrian Holovaty |
---|---|---|---|
Component: | Template system | Version: | |
Severity: | major | Keywords: | |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
The escape filter does not escape single quotes to '. Why not? It can simply be repaired in the following file http://code.djangoproject.com/browser/django/trunk/django/utils/html.py.
Line 28 in this file states: return html.replace('&', '&').replace('<', '<').replace('>', '>').replace('"', '"')
Simply extend this line as follows: return html.replace('&', '&').replace('<', '<').replace('>', '>').replace('"', '"').replace("'", ''')
When building xml files with the Django template system this is a life saver. Because, now all five internally declared xml entities are nicely escaped by the escape filter.
Attachments (2)
Change History (8)
comment:1 by , 19 years ago
by , 19 years ago
[patch] added unicode replacement (\u0027) to single quotes
comment:2 by , 19 years ago
.replace("'", "\\'")
While I added the unicode patch, couldn't this be used instead?
comment:5 by , 19 years ago
Summary: | Escape filter does not escape single quotes to ' → [patch] Escape filter does not escape single quotes to ' |
---|
comment:6 by , 19 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
The problem with this: apos isn't a valid entity in HTML, it's only valid in XML (and therefore should be valid in XHTML). So it's allways a problem to add it, because anybody producing HTML4 will get invalid entities. Better to replace it by it's unicode numerical encoding, as that is valid in both HTML and XML.