Changes between Initial Version and Version 3 of Ticket #31427


Ignore:
Timestamp:
04/07/20 10:20:14 (3 years ago)
Author:
Carlton Gibson
Comment:

Grrr.

Django supports custom html representation for objects using the html method

I don't think that's the intended use-case.

Rather:

This shouldn't be thought of as *replacement* for autoescaping, since that's not required, but as something that uses it for interoperability.

i.e. it was introduced so the DTL could understand that strings from other template engines were pre-escaped.

The __html__() method is hardly documented — it's mentioned only in passing for html_safe.

I'm not 100% adverse to the idea here—I can see the appeal— vs what? implementing str() to mark safe, or a proxy class doing the same for use in the admin...? Overriding the templates?, and so on... — but (A) security — do folks really emit safe HTML? — and then (B) it's a change in the intended use, so ... 😬

I'll initially say needsinfo rather than wontfix here.

  • What does it really involve? Documenting __html__() and promoting to a recommended approach.
  • A PoC concept PR: What do the changes look like? (In draft)
  • Then, is the any support for such a change on the DevelopersMailingList? (vs the alternatives)

I hope that makes sense.

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #31427

    • Property Owner changed from nobody to Andy Robles
    • Property Status changed from new to closed
    • Property Type changed from Uncategorized to New feature
    • Property Resolution changed from to needsinfo
  • Ticket #31427 – Description

    initial v3  
    1 Django supports custom html representation for objects using the __html__ method (see https://code.djangoproject.com/ticket/7261)
     1Django supports custom html representation for objects using the __html__ method (see #7261)
    22
    33This is supposedly used when trying to display to object as html : if the object provides an __html__ representation, this is used instead of an html-escaped version of __str__. This is implemented in `django.utils.html.conditional_escape`, used in turn by `format_html` (and similar).
Back to Top