id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
23937	Templates: control characters should be filtered out	jogc	nobody	"When rendering the value of variables, Django does automatic HTML escaping by default, but it does not filter out control characters that are invalid in HTML. It should.

Invalid C0 control characters are x00-x08, 0xB-x0C, x0E-x1F. At the very least x00 should be filtered out, since its invalid in every version of HTML/XHTML/XML.

Reproduce:
Put \x00 in a variable and expand it in a template, save the resulting html and upload it to W3s validator.

References:
http://en.wikipedia.org/wiki/Character_encodings_in_HTML#Illegal_characters
http://en.wikipedia.org/wiki/Valid_characters_in_XML
http://www.w3.org/TR/xml11/#charsets
http://www.i18nguy.com/test/controls.htm
"	Bug	closed	Template system	1.6	Normal	wontfix	control charcaters c0 codes templates		Unreviewed	0	0	0	0	0	0