Opened 21 months ago

Last modified 16 months ago

#26258 new Bug

Jinja2 rendered templates are not safe by default

Reported by: Ivan Tsouvarev Owned by: nobody
Component: Template system Version: 1.9
Severity: Normal Keywords:
Cc: Triage Stage: Someday/Maybe
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Here are steps to reproduce:

  • have Django 1.9
  • make some simple_tag that renders Jinja2 template
  • output it

Expected result:

  • output is unescaped

What happens:

  • output is escaped

With Django's templates everything works just fine, since it make mark_safe in NodeList

In pre-1.9 versions it wasn't an issue, because simple_tag wasn't auto-escaped by default

Attachments (2)

patch.diff (872 bytes) - added by Ivan Tsouvarev 21 months ago.
screenshot-localhost 8000 2016-02-26 11-38-37.png (42.3 KB) - added by Ivan Tsouvarev 21 months ago.

Download all attachments as: .zip

Change History (11)

Changed 21 months ago by Ivan Tsouvarev

Attachment: patch.diff added

comment:1 Changed 21 months ago by Tim Graham

Is there a problem if you follow the rules in the 1.9 release notes for marking the output of your template tag as safe?

I didn't look in detail at the consequences of your proposed patch, but from a quick glance, I don't see the rationale for considering all rendering of Template safe. A regression test to demonstrate the fix would also be required.

comment:2 in reply to:  1 Changed 21 months ago by Ivan Tsouvarev

Replying to timgraham:

Is there a problem if you follow the rules in the 1.9 release notes for marking the output of your template tag as safe?

Thing is, problem templatetag is admin_list_filter inside Django's admin. We have list filter that renders via Jinja2 template, so this issue raises

I didn't look in detail at the consequences of your proposed patch, but from a quick glance, I don't see the rationale for considering all rendering of Template safe. A regression test to demonstrate the fix would also be required.

Django's considering it's own templates as safe, so why not consider Jinja's templates safe as well? But, of course, you may come with better solution.

comment:3 Changed 21 months ago by Tim Graham

Do you have time to put together a sample project I could download to easily reproduce the issue? That will help me investigate and try to find the proper solution.

comment:4 in reply to:  3 Changed 21 months ago by Ivan Tsouvarev

Replying to timgraham:

Do you have time to put together a sample project I could download to easily reproduce the issue? That will help me investigate and try to find the proper solution.

Ok, I will try to do that until the next week

comment:5 Changed 21 months ago by Tim Graham

Has patch: unset
Triage Stage: UnreviewedSomeday/Maybe

comment:6 Changed 21 months ago by Ivan Tsouvarev

https://github.com/tsouvarev/test_jinja_escaped_twice

I've added JinjaListFilter thats renderes with Jinja template (which is just admin/filter.html translated into Jinja)
In Book admin section at the right side you will see escaped HTML code

Changed 21 months ago by Ivan Tsouvarev

comment:7 Changed 21 months ago by Ivan Tsouvarev

I added some inclusion tags that include Jinja templates - it also not working at all (see /test/ view)

comment:8 Changed 21 months ago by Ivan Tsouvarev

Any feedback?

comment:9 in reply to:  3 Changed 16 months ago by Sassan Haradji

Replying to timgraham:

Do you have time to put together a sample project I could download to easily reproduce the issue? That will help me investigate and try to find the proper solution.

Is there any workaround for this?

Note: See TracTickets for help on using tickets.
Back to Top