Opened 17 years ago
Closed 17 years ago
#5945 closed (fixed)
String constants in filters and variable tags should be marked safe
Reported by: | Chris Beaven | Owned by: | nobody |
---|---|---|---|
Component: | Template system | Version: | dev |
Severity: | Keywords: | auto-escaping | |
Cc: | Triage Stage: | Design decision needed | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | yes | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Since string constants are directly within the realm of the template author, they shouldn't be touched by auto-escaping.
Examples:
{{ "<p>don't touch me</p>" }} {{ caption|default:"<em>No caption</em>" }}
Attachments (1)
Change History (4)
by , 17 years ago
Attachment: | safe_constants.diff added |
---|
comment:1 by , 17 years ago
Needs tests: | set |
---|---|
Triage Stage: | Unreviewed → Design decision needed |
comment:2 by , 17 years ago
I think your original report is right and template strings should be marked as safe (I am surprised they aren't!) The problem with translations is that the translator cannot mark a translation as safe, and if it's done in the template, the template author still has to trust the translator.
comment:3 by , 17 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
One consideration is that this will mark i18n "constant" translated strings, too. The template author doesn't see these directly, so I'm not sure if that is acceptable.
For example,
{{ caption|default:_("what if I am dangerous?") }}
.