Escaping in the startproject command
|Reported by:||Marc Tamlyn||Owned by:||nobody|
|Component:||Core (Management commands)||Version:||master|
|Cc:||Florian Apolloner||Triage Stage:||Accepted|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||yes||Patch needs improvement:||no|
The startproject command uses the template language, and seems to be html-escaping various things. For example aviraldg reported on IRC getting a SECRET_KEY with several instances of & in the middle of the string.
In this context it's harmless, but it may break other places where & or < are legitimate characters. We should probably render the whole template with escaping disabled.