Opened 7 years ago

Closed 7 years ago

#5945 closed (fixed)

String constants in filters and variable tags should be marked safe

Reported by: SmileyChris Owned by: nobody
Component: Template system Version: master
Severity: Keywords: auto-escaping
Cc: Triage Stage: Design decision needed
Has patch: yes Needs documentation: no
Needs tests: yes Patch needs improvement: no
Easy pickings: UI/UX:

Description

Since string constants are directly within the realm of the template author, they shouldn't be touched by auto-escaping.

Examples:

{{ "<p>don't touch me</p>" }}
{{ caption|default:"<em>No caption</em>" }}

Attachments (1)

safe_constants.diff (941 bytes) - added by SmileyChris 7 years ago.

Download all attachments as: .zip

Change History (4)

Changed 7 years ago by SmileyChris

comment:1 Changed 7 years ago by SmileyChris

  • Needs documentation unset
  • Needs tests set
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Design decision needed

One consideration is that this will mark i18n "constant" translated strings, too. The template author doesn't see these directly, so I'm not sure if that is acceptable.

For example, {{ caption|default:_("what if I am dangerous?") }}.

comment:2 Changed 7 years ago by mir

I think your original report is right and template strings should be marked as safe (I am surprised they aren't!) The problem with translations is that the translator cannot mark a translation as safe, and if it's done in the template, the template author still has to trust the translator.

comment:3 Changed 7 years ago by mtredinnick

  • Resolution set to fixed
  • Status changed from new to closed

(In [6680]) Fixed #5945 -- Treat string literals in template filter arguments as safe
strings for auto-escaping purposes.

Note: See TracTickets for help on using tickets.
Back to Top