Following a recent report, it has come to out attention that the docs for autoescape
and escape
could be improved by explicitly mentioning how those interact with the results of applying (chaining) filters that would mark their result as safe (like those that operate with sequences). For example, in this code:
{% autoescape off %}
{{ some_list|join:","|escape }}
{% endautoescape %}
the string resulting from the concatenation of some_list
items would not be escaped. The reason is that join
returns a string marked as safe (but since it was executed in the context of autoescape
being off, each individual item is not escaped), and the escape
docs mention the following (but they could use an example to make the point more obvious):
Applying escape to a variable that would normally have auto-escaping applied to the result will only result in one round of escaping being done.
Similarly, the safe
docs also refers to the above (but again, explicitness could go long way here):
If you are chaining filters, a filter applied after safe can make the contents unsafe again. For example, the following code prints the variable as is, unescaped:
{{ var|safe|escape }}
which is analogous to what is happening in the first code snippet: join
is marking the result as safe, so the chained |escape
does nothing.
PR