Opened 17 years ago

Closed 17 years ago

#5945 closed (fixed)

String constants in filters and variable tags should be marked safe

Reported by: Chris Beaven Owned by: nobody
Component: Template system Version: dev
Severity: Keywords: auto-escaping
Cc: Triage Stage: Design decision needed
Has patch: yes Needs documentation: no
Needs tests: yes Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Since string constants are directly within the realm of the template author, they shouldn't be touched by auto-escaping.

Examples:

{{ "<p>don't touch me</p>" }}
{{ caption|default:"<em>No caption</em>" }}

Attachments (1)

safe_constants.diff (941 bytes ) - added by Chris Beaven 17 years ago.

Download all attachments as: .zip

Change History (4)

by Chris Beaven, 17 years ago

Attachment: safe_constants.diff added

comment:1 by Chris Beaven, 17 years ago

Needs tests: set
Triage Stage: UnreviewedDesign decision needed

One consideration is that this will mark i18n "constant" translated strings, too. The template author doesn't see these directly, so I'm not sure if that is acceptable.

For example, {{ caption|default:_("what if I am dangerous?") }}.

comment:2 by Michael Radziej, 17 years ago

I think your original report is right and template strings should be marked as safe (I am surprised they aren't!) The problem with translations is that the translator cannot mark a translation as safe, and if it's done in the template, the template author still has to trust the translator.

comment:3 by Malcolm Tredinnick, 17 years ago

Resolution: fixed
Status: newclosed

(In [6680]) Fixed #5945 -- Treat string literals in template filter arguments as safe
strings for auto-escaping purposes.

Note: See TracTickets for help on using tickets.
Back to Top