Changes between Initial Version and Version 3 of Ticket #31427

Timestamp:

Apr 7, 2020, 5:20:14 AM (4 years ago)

Author:

Carlton Gibson

Comment:

Grrr.

Django supports custom html representation for objects using the html method

I don't think that's the intended use-case.

Rather:

This shouldn't be thought of as *replacement* for autoescaping, since that's not required, but as something that uses it for interoperability.

• https://code.djangoproject.com/ticket/7261#comment:3

i.e. it was introduced so the DTL could understand that strings from other template engines were pre-escaped.

The __html__() method is hardly documented — it's mentioned only in passing for html_safe.

I'm not 100% adverse to the idea here—I can see the appeal— vs what? implementing str() to mark safe, or a proxy class doing the same for use in the admin...? Overriding the templates?, and so on... — but (A) security — do folks really emit safe HTML? — and then (B) it's a change in the intended use, so ... 😬

I'll initially say needsinfo rather than wontfix here.

• What does it really involve? Documenting __html__() and promoting to a recommended approach.
• A PoC concept PR: What do the changes look like? (In draft)
• Then, is the any support for such a change on the DevelopersMailingList? (vs the alternatives)

I hope that makes sense.