#14818 closed (fixed)
cycle tag is not safe — at Version 3
Reported by: | Stephen Kelly | Owned by: | nobody |
---|---|---|---|
Component: | Template system | Version: | 1.2 |
Severity: | Keywords: | ||
Cc: | Triage Stage: | Ready for checkin | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description (last modified by )
In [1]: from django.template import Template, Context In [3]: t = Template("{% cycle one two as foo %} {% cycle foo %}") In [5]: c = Context({"one" : "A & B", "two": "C & D"}) In [6]: t.render(c) Out[6]: u'A & B C & D'
This is likely fixed by using _render_value_in_context() in the implementation of the cycle node render method.
Change History (4)
comment:1 by , 14 years ago
Resolution: | → invalid |
---|---|
Status: | new → closed |
comment:2 by , 14 years ago
Resolution: | invalid |
---|---|
Status: | closed → reopened |
It's strange that you don't see the bug. The variable is written to the output unescaped.
What do you think I'm missing about how cycle works?
In [1]: from django.template import Template, Context In [2]: t = Template("{{ one }}, {{ two }}, {% cycle one two as foo %}, {% cycle foo %}") In [4]: c = Context({"one": "A & B", "two": "C & D"}) In [5]: t.render(c) Out[5]: u'A & B, C & D, A & B, C & D'
comment:3 by , 14 years ago
Description: | modified (diff) |
---|---|
Resolution: | → invalid |
Status: | reopened → closed |
There is no bug, because the cycle tag is not supposed to escape its output, in common with other template tags. This is clearly explained in the documentation.
Note:
See TracTickets
for help on using tickets.
I don't see a bug here. You might be misunderstanding how the cycle tag works.