id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
2984	allow to specify automatic HTML escaping for templates	Bastian Kleineidam <calvin@…>	Adrian Holovaty	"Hello,

the current templating mechanism is a little error prone when it comes to HTML: suppose the following template
{{{
<h1> {{title}} </h1>
}}}
If the title value is controllable by the user, we have a security fault in the application, since the value can have HTML tags, possibly with javascript.

The correct template must be:
{{{
<h1> {{title|escape}} </h1>
}}}

Now, it is very tiresome to always remember to escape all those variables. It would be _very_ nice to have a default setting when rendering the template to always escape variable values unless noted otherwise. I have created a patch for that, which I will attach here tomorrow. It allows an optional keyword argument ""html=True"" for Template objects. To print out a variable unescaped one has to use the raw filter like this:

{{{
<h1> {{title|raw}} </h1>
}}}

Well, actually the ""raw"" filter is not a real filter, it is more like a flag telling the Template renderer to not HTML-quote the variable. A little hack, but it works :)"	enhancement	closed	Template system		normal	duplicate			Unreviewed	0	0	0	0	0	0