Expose an interface for custom-escaping template content
|Reported by:||steveire||Owned by:||nobody|
|Cc:||net147@…||Triage Stage:||Design decision needed|
|Has patch:||yes||Needs documentation:||yes|
|Needs tests:||yes||Patch needs improvement:||no|
Django by default escapes html entities in Context content injected into a Template. For non-html content it is possible to implement a filter to implement custom escaping.
However, in that case, escaping must be explicit. There is no auto-escaping, because auto-escaping assumes html content.
It is possible to create a separate object to perform escaping, which can be overridden for custom escaping. The specific escaping needs to be accessible from _render_value_in_context, currently a free function associated with the Node class, and from filters, some of which need to escape or conditionalEscape their input (linenumbers and linebreaks and linebreaksbr filters).
The solution I used in a C++ implementation was a OutputStream class with a virtual method for escaping:
The disadvantage is that the stream must be passed through all methods in the API, sometimes cloned. In python/django though it may make more sense to register a function in the SETTINGS which should be used for escaping, so that custom autoescaping can be possible.
Change History (17)
comment:1 Changed 6 years ago by thejaswi_puthraya
- Component changed from Uncategorized to Template system
- Needs documentation unset
- Needs tests unset
- Patch needs improvement unset
comment:2 Changed 6 years ago by lukeplant
- Resolution set to wontfix
- Status changed from new to closed
comment:4 Changed 6 years ago by SmileyChris
- Has patch set
- Needs documentation set
- Needs tests set
- Resolution wontfix deleted
- Status changed from closed to reopened
- Version 1.2 deleted
comment:6 Changed 6 years ago by lukeplant
- Triage Stage changed from Unreviewed to Design decision needed