Opened 16 years ago
Closed 16 years ago
#5945 closed (fixed)
String constants in filters and variable tags should be marked safe
| Reported by: | Chris Beaven | Owned by: | nobody |
|---|---|---|---|
| Component: | Template system | Version: | dev |
| Severity: | Keywords: | auto-escaping | |
| Cc: | Triage Stage: | Design decision needed | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | yes | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Since string constants are directly within the realm of the template author, they shouldn't be touched by auto-escaping.
Examples:
{{ "<p>don't touch me</p>" }}
{{ caption|default:"<em>No caption</em>" }}
Attachments (1)
Change History (4)
by , 16 years ago
| Attachment: | safe_constants.diff added |
|---|
comment:1 by , 16 years ago
| Needs tests: | set |
|---|---|
| Triage Stage: | Unreviewed → Design decision needed |
comment:2 by , 16 years ago
I think your original report is right and template strings should be marked as safe (I am surprised they aren't!) The problem with translations is that the translator cannot mark a translation as safe, and if it's done in the template, the template author still has to trust the translator.
comment:3 by , 16 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
One consideration is that this will mark i18n "constant" translated strings, too. The template author doesn't see these directly, so I'm not sure if that is acceptable.
For example,
{{ caption|default:_("what if I am dangerous?") }}.