Opened 9 years ago

Last modified 8 years ago

#26258 new Bug

Jinja2 rendered templates are not safe by default

Reported by: Ivan Tsouvarev Owned by: nobody
Component: Template system Version: 1.9
Severity: Normal Keywords:
Cc: Triage Stage: Someday/Maybe
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Here are steps to reproduce:

  • have Django 1.9
  • make some simple_tag that renders Jinja2 template
  • output it

Expected result:

  • output is unescaped

What happens:

  • output is escaped

With Django's templates everything works just fine, since it make mark_safe in NodeList

In pre-1.9 versions it wasn't an issue, because simple_tag wasn't auto-escaped by default

Attachments (2)

patch.diff (872 bytes ) - added by Ivan Tsouvarev 9 years ago.
screenshot-localhost 8000 2016-02-26 11-38-37.png (42.3 KB ) - added by Ivan Tsouvarev 9 years ago.

Download all attachments as: .zip

Change History (11)

by Ivan Tsouvarev, 9 years ago

Attachment: patch.diff added

comment:1 by Tim Graham, 9 years ago

Is there a problem if you follow the rules in the 1.9 release notes for marking the output of your template tag as safe?

I didn't look in detail at the consequences of your proposed patch, but from a quick glance, I don't see the rationale for considering all rendering of Template safe. A regression test to demonstrate the fix would also be required.

in reply to:  1 comment:2 by Ivan Tsouvarev, 9 years ago

Replying to timgraham:

Is there a problem if you follow the rules in the 1.9 release notes for marking the output of your template tag as safe?

Thing is, problem templatetag is admin_list_filter inside Django's admin. We have list filter that renders via Jinja2 template, so this issue raises

I didn't look in detail at the consequences of your proposed patch, but from a quick glance, I don't see the rationale for considering all rendering of Template safe. A regression test to demonstrate the fix would also be required.

Django's considering it's own templates as safe, so why not consider Jinja's templates safe as well? But, of course, you may come with better solution.

comment:3 by Tim Graham, 9 years ago

Do you have time to put together a sample project I could download to easily reproduce the issue? That will help me investigate and try to find the proper solution.

in reply to:  3 comment:4 by Ivan Tsouvarev, 9 years ago

Replying to timgraham:

Do you have time to put together a sample project I could download to easily reproduce the issue? That will help me investigate and try to find the proper solution.

Ok, I will try to do that until the next week

comment:5 by Tim Graham, 9 years ago

Has patch: unset
Triage Stage: UnreviewedSomeday/Maybe

comment:6 by Ivan Tsouvarev, 9 years ago

https://github.com/tsouvarev/test_jinja_escaped_twice

I've added JinjaListFilter thats renderes with Jinja template (which is just admin/filter.html translated into Jinja)
In Book admin section at the right side you will see escaped HTML code

comment:7 by Ivan Tsouvarev, 9 years ago

I added some inclusion tags that include Jinja templates - it also not working at all (see /test/ view)

comment:8 by Ivan Tsouvarev, 9 years ago

Any feedback?

in reply to:  3 comment:9 by Sassan Haradji, 8 years ago

Replying to timgraham:

Do you have time to put together a sample project I could download to easily reproduce the issue? That will help me investigate and try to find the proper solution.

Is there any workaround for this?

Note: See TracTickets for help on using tickets.
Back to Top