id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
14125	'Safe strings' are not force-escaped on development 500 page	Elijah Rutschman	Elijah Rutschman	"In the 'Local vars' section of the debugging 500 error page, strings that have been 'marked safe' are not escaped before output, which has often resulted in HTML from my variables being inserted into the page.

While using 'mark_safe' on a string variable indicates that the string should not be escaped further, I think an exception should be made for the debugging 500 page, based on my assumption that most developers would rather see a string's value than the resultant HTML elements.

I have attached a patch that uses 'force_escape' in lieu of 'escape'."		closed	Uncategorized	dev		duplicate	debug.py 500 escape		Design decision needed	1	0	1	0	0	0