#14818 closed (fixed)
cycle tag is not safe — at Version 3
| Reported by: | Stephen Kelly | Owned by: | nobody |
|---|---|---|---|
| Component: | Template system | Version: | 1.2 |
| Severity: | Keywords: | ||
| Cc: | Triage Stage: | Ready for checkin | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
In [1]: from django.template import Template, Context
In [3]: t = Template("{% cycle one two as foo %} {% cycle foo %}")
In [5]: c = Context({"one" : "A & B", "two": "C & D"})
In [6]: t.render(c)
Out[6]: u'A & B C & D'
This is likely fixed by using _render_value_in_context() in the implementation of the cycle node render method.
Change History (4)
comment:1 by , 13 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
comment:2 by , 13 years ago
| Resolution: | invalid |
|---|---|
| Status: | closed → reopened |
It's strange that you don't see the bug. The variable is written to the output unescaped.
What do you think I'm missing about how cycle works?
In [1]: from django.template import Template, Context
In [2]: t = Template("{{ one }}, {{ two }}, {% cycle one two as foo %}, {% cycle foo %}")
In [4]: c = Context({"one": "A & B", "two": "C & D"})
In [5]: t.render(c)
Out[5]: u'A & B, C & D, A & B, C & D'
comment:3 by , 13 years ago
| Description: | modified (diff) |
|---|---|
| Resolution: | → invalid |
| Status: | reopened → closed |
There is no bug, because the cycle tag is not supposed to escape its output, in common with other template tags. This is clearly explained in the documentation.
Note:
See TracTickets
for help on using tickets.
I don't see a bug here. You might be misunderstanding how the cycle tag works.