id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
26478	Prohibit quotes and vertical bar in {% for %} unpacking variable names	Stephen Kelly	Tim Martin	"The 'for' tag does not validate names of unpacked variables, allowing things like

`{% for k|upper, ""v"" in mapping.items %}`

without throwing an error. Such 'variables' are not useful within the `for` block.

{{{#!python
#!/usr/bin/env python

from django.template import Template, Context
from django.template.engine import Engine

e = Engine()

c = Context()
c[""m""] = {""one"": ""1"", ""two"": ""2""}

t = e.from_string('{% for k|upper, v in m.items %}{{ k|upper }} : {{ v }}\n{% endfor %}')
print t.render(c) 
#  : 2
#  : 1

t = e.from_string('{% for ""k"", v in m.items %}{{ ""k"" }} : {{ v }}\n{% endfor %}')
print t.render(c)
# k : 2
# k : 1
}}}

The for tag should error on an attempt to unpack to variables which contain FILTER_SEPARATOR, double-quoted string or single-quoted string.

The underlying issue is that `Context` does not validate keys it is given, so the `cycle` tag also has this issue in the form of `{% cycle 'a' 'b' 'c' as ""letter"" %}`, as does `widthratio` and any other tag which has an 'as' form.
"	Cleanup/optimization	closed	Template system	1.9	Normal	fixed			Ready for checkin	1	0	0	0	0	0