Expose an interface for custom-escaping template content
|Reported by:||Stephen Kelly||Owned by:||nobody|
|Cc:||net147@…||Triage Stage:||Design decision needed|
|Has patch:||yes||Needs documentation:||yes|
|Needs tests:||yes||Patch needs improvement:||no|
Django by default escapes html entities in Context content injected into a Template. For non-html content it is possible to implement a filter to implement custom escaping.
However, in that case, escaping must be explicit. There is no auto-escaping, because auto-escaping assumes html content.
It is possible to create a separate object to perform escaping, which can be overridden for custom escaping. The specific escaping needs to be accessible from _render_value_in_context, currently a free function associated with the Node class, and from filters, some of which need to escape or conditionalEscape their input (linenumbers and linebreaks and linebreaksbr filters).
The solution I used in a C++ implementation was a OutputStream class with a virtual method for escaping:
The disadvantage is that the stream must be passed through all methods in the API, sometimes cloned. In python/django though it may make more sense to register a function in the SETTINGS which should be used for escaping, so that custom autoescaping can be possible.
Change History (17)
comment:1 Changed 6 years ago by
|Component:||Uncategorized → Template system|
|Patch needs improvement:||unset|
comment:4 Changed 6 years ago by
|Status:||closed → reopened|