Opened 13 years ago

Closed 13 years ago

#2984 closed enhancement (duplicate)

allow to specify automatic HTML escaping for templates

Reported by: Bastian Kleineidam <calvin@…> Owned by: Adrian Holovaty
Component: Template system Version:
Severity: normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no



the current templating mechanism is a little error prone when it comes to HTML: suppose the following template

<h1> {{title}} </h1>

If the title value is controllable by the user, we have a security fault in the application, since the value can have HTML tags, possibly with javascript.

The correct template must be:

<h1> {{title|escape}} </h1>

Now, it is very tiresome to always remember to escape all those variables. It would be _very_ nice to have a default setting when rendering the template to always escape variable values unless noted otherwise. I have created a patch for that, which I will attach here tomorrow. It allows an optional keyword argument "html=True" for Template objects. To print out a variable unescaped one has to use the raw filter like this:

<h1> {{title|raw}} </h1>

Well, actually the "raw" filter is not a real filter, it is more like a flag telling the Template renderer to not HTML-quote the variable. A little hack, but it works :)

Change History (2)

comment:1 Changed 13 years ago by Jacob

This is an ongoing topic we've not decided on a great solution for -- see AutoEscaping. Since you say you've got a patch I'll leave this open instead of marking duplicate, but please make sure you read the existing discussion first.

comment:2 Changed 13 years ago by Adrian Holovaty

Resolution: duplicate
Status: newclosed

Duplicate of #2359. Also see the django-developers mailing list archives for much discussion on this topic.

Note: See TracTickets for help on using tickets.
Back to Top