#21722 closed Cleanup/optimization (fixed)
Add warning for avoiding XSS vulnerabilities when reusing built-in filters
Reported by: | Tim Graham | Owned by: | nobody |
---|---|---|---|
Component: | Documentation | Version: | 1.6 |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Ready for checkin | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
When calling built-in filters in Python code rather than in templates, one must pass autoescape=True
to the filter, otherwise the filter input ends up marked safe and never get escaped once rendered in the template.
Attachments (1)
Change History (4)
by , 11 years ago
Attachment: | 21722.diff added |
---|
comment:1 by , 11 years ago
Triage Stage: | Accepted → Ready for checkin |
---|
comment:2 by , 11 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
The code example should be calling
urlize
withtext
instead ofs
.Except this typo the patch looks RFC to me.