'firstof' and 'cycle' should autoescape
|Reported by:||anonymous||Owned by:||Vladimir.Filonov|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
'firstof' and 'cycle' do not Autoescaping when used in a template.
My expected behavior for Django is: The results of all template tags should be escaped unless marked safe.
The current behavior is NOT a good approach. Instead of documenting such pitt-falls, django should be safe by default.
When I manually inspect the usage of 'firstof' and 'cycle' in several projects its almost a 100% hit with XSS vulnerable code.
Is there any reason why the current (and documented) behaviour is better than just fixing this ?
Change History (15)
comment:1 Changed 3 years ago by harm
- Cc harm.verhagen+django@… added
- Needs documentation unset
- Needs tests unset
- Patch needs improvement unset
comment:3 Changed 3 years ago by PaulM
- Triage Stage changed from Unreviewed to Accepted
comment:5 Changed 3 years ago by Vladimir.Filonov
- Owner changed from nobody to Vladimir.Filonov
- Status changed from new to assigned
comment:9 Changed 3 years ago by Aymeric Augustin <aymeric.augustin@…>
- Resolution set to fixed
- Status changed from assigned to closed