Opened 9 years ago

Closed 9 years ago

#23937 closed Bug (wontfix)

Templates: control characters should be filtered out

Reported by: jogc Owned by: nobody
Component: Template system Version: 1.6
Severity: Normal Keywords: control charcaters c0 codes templates
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


When rendering the value of variables, Django does automatic HTML escaping by default, but it does not filter out control characters that are invalid in HTML. It should.

Invalid C0 control characters are x00-x08, 0xB-x0C, x0E-x1F. At the very least x00 should be filtered out, since its invalid in every version of HTML/XHTML/XML.

Put \x00 in a variable and expand it in a template, save the resulting html and upload it to W3s validator.


Change History (3)

comment:1 by Tim Graham, 9 years ago

Django templates may be used to render more than HTML, XHTML, and XML. I am not sure if control characters would ever have a use in other contexts. Do other web frameworks automatically remove control characters? Maybe you could also elaborate a bit on how control characters got into your data in the first place as it's not a common problem I've seen. Thanks!

comment:2 by Markus Holtermann, 9 years ago

I don't think it's a good idea to make Django filter any characters by default. If you have data that you want to filter, I suggest you write either a template filter or template tag, depending on your needs.

I'd go with a won't fix here.

comment:3 by Tim Graham, 9 years ago

Resolution: wontfix
Status: newclosed

That was my thought as well. I'll close the ticket for now until the reporter provides additional information.

Note: See TracTickets for help on using tickets.
Back to Top