id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
18208	Escape translations by default	Artem Skoretskiy	nobody	"'''Proposal''':

1. By default treat translations (`trans` and `blocktrans` templatetags, `ugettext` and `ungettext` functions) as '''unsafe''' strings.
2. Add '''`safe`''' flag to `trans` and `blocktrans` templatetags that would mark their output as safe.
3. When using `ugettext` and `ungettext` functions -- explicitly use `|safe` filter to skip escaping.

Safety must be turned on by default. Noone knows how its app would be translated. Always escape it manually is not a solution for the same reasons as escaping every string used on the page.

'''Use-case'''

Translators may easily use special chars in the translations trying to make them better.

See this example:
{{{
<p>{% blocktrans %}Check Terms and Conditions or 5 is more than 4</p>
<p>Even worse: <input type=""button"" value=""{% trans 'Do not save' %}"" />
}}}

It looks fine until they translated string using special chars:
{{{
Check Terms & Conditions or 5 > 4
Don't save ""{{ item }}""
}}}

By default `blocktrans` and `trans` are ""safe"" strings that would lead to showing translations as-is. This would break the page completely and may lead to XSS and other unpleasant stuff.


'''Current woraround'''

To escape special chars in translations you have to always apply `force_escape` filter manually on each translation:
{{{
<p>{% filter force_escape %}{% blocktrans %}Check Terms and Conditions or 5 is more than 4{% endfilter %}</p>
<p>Even worse: <input type=""button"" value=""{% filter force_escape %}{% trans 'Do not save {{ item }}}' %}{% endfilter %}"" />
}}}"	Uncategorized	closed	Internationalization	1.4	Normal	wontfix		tonn81@…	Design decision needed	0	0	0	0	0	0