Opened 11 years ago

Closed 11 years ago

#5945 closed (fixed)

String constants in filters and variable tags should be marked safe

Reported by: Chris Beaven Owned by: nobody
Component: Template system Version: master
Severity: Keywords: auto-escaping
Cc: Triage Stage: Design decision needed
Has patch: yes Needs documentation: no
Needs tests: yes Patch needs improvement: no
Easy pickings: no UI/UX: no


Since string constants are directly within the realm of the template author, they shouldn't be touched by auto-escaping.


{{ "<p>don't touch me</p>" }}
{{ caption|default:"<em>No caption</em>" }}

Attachments (1)

safe_constants.diff (941 bytes) - added by Chris Beaven 11 years ago.

Download all attachments as: .zip

Change History (4)

Changed 11 years ago by Chris Beaven

Attachment: safe_constants.diff added

comment:1 Changed 11 years ago by Chris Beaven

Needs tests: set
Triage Stage: UnreviewedDesign decision needed

One consideration is that this will mark i18n "constant" translated strings, too. The template author doesn't see these directly, so I'm not sure if that is acceptable.

For example, {{ caption|default:_("what if I am dangerous?") }}.

comment:2 Changed 11 years ago by Michael Radziej

I think your original report is right and template strings should be marked as safe (I am surprised they aren't!) The problem with translations is that the translator cannot mark a translation as safe, and if it's done in the template, the template author still has to trust the translator.

comment:3 Changed 11 years ago by Malcolm Tredinnick

Resolution: fixed
Status: newclosed

(In [6680]) Fixed #5945 -- Treat string literals in template filter arguments as safe
strings for auto-escaping purposes.

Note: See TracTickets for help on using tickets.
Back to Top