Opened 9 years ago
Last modified 8 years ago
#26258 new Bug
Jinja2 rendered templates are not safe by default
Reported by: | Ivan Tsouvarev | Owned by: | nobody |
---|---|---|---|
Component: | Template system | Version: | 1.9 |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Someday/Maybe | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Here are steps to reproduce:
- have Django 1.9
- make some
simple_tag
that renders Jinja2 template - output it
Expected result:
- output is unescaped
What happens:
- output is escaped
With Django's templates everything works just fine, since it make mark_safe
in NodeList
In pre-1.9 versions it wasn't an issue, because simple_tag
wasn't auto-escaped by default
Attachments (2)
Change History (11)
by , 9 years ago
Attachment: | patch.diff added |
---|
follow-up: 2 comment:1 by , 9 years ago
comment:2 by , 9 years ago
Replying to timgraham:
Is there a problem if you follow the rules in the 1.9 release notes for marking the output of your template tag as safe?
Thing is, problem templatetag is admin_list_filter
inside Django's admin. We have list filter that renders via Jinja2 template, so this issue raises
I didn't look in detail at the consequences of your proposed patch, but from a quick glance, I don't see the rationale for considering all rendering of
Template
safe. A regression test to demonstrate the fix would also be required.
Django's considering it's own templates as safe, so why not consider Jinja's templates safe as well? But, of course, you may come with better solution.
follow-ups: 4 9 comment:3 by , 9 years ago
Do you have time to put together a sample project I could download to easily reproduce the issue? That will help me investigate and try to find the proper solution.
comment:4 by , 9 years ago
Replying to timgraham:
Do you have time to put together a sample project I could download to easily reproduce the issue? That will help me investigate and try to find the proper solution.
Ok, I will try to do that until the next week
comment:5 by , 9 years ago
Has patch: | unset |
---|---|
Triage Stage: | Unreviewed → Someday/Maybe |
comment:6 by , 9 years ago
https://github.com/tsouvarev/test_jinja_escaped_twice
I've added JinjaListFilter
thats renderes with Jinja template (which is just admin/filter.html
translated into Jinja)
In Book admin section at the right side you will see escaped HTML code
by , 9 years ago
Attachment: | screenshot-localhost 8000 2016-02-26 11-38-37.png added |
---|
comment:7 by , 9 years ago
I added some inclusion tags that include Jinja templates - it also not working at all (see /test/
view)
comment:9 by , 8 years ago
Replying to timgraham:
Do you have time to put together a sample project I could download to easily reproduce the issue? That will help me investigate and try to find the proper solution.
Is there any workaround for this?
Is there a problem if you follow the rules in the 1.9 release notes for marking the output of your template tag as safe?
I didn't look in detail at the consequences of your proposed patch, but from a quick glance, I don't see the rationale for considering all rendering of
Template
safe. A regression test to demonstrate the fix would also be required.