#6948 closed (fixed)
Join filter string literal escaped, docs say it shouldn't
Reported by: | Owned by: | Malcolm Tredinnick | |
---|---|---|---|
Component: | Template system | Version: | dev |
Severity: | Keywords: | join filter stringliteral | |
Cc: | Triage Stage: | Design decision needed | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Per the template documentation, string literal arguments are inserted into a template without being escaped, e.g.,:
{{ foo|default:"&" }}
renders:
&
and not:
&
But when I do:
{{ foo_list|join:" & " }}
I get the HTML:
1 & 2 & 3
instead of:
1 & 2 & 3
In other words, the string literal supplied to the join filter is escaped, where the docs imply otherwise, or at least aren't quite clear IMHO.
I've provided a patch that fixes the problem with the join filter that conditionally escapes the user data but leaves the string literal unescaped.
Attachments (1)
Change History (6)
by , 17 years ago
Attachment: | defaultfilters.patch added |
---|
comment:1 by , 16 years ago
Component: | Uncategorized → Documentation |
---|---|
Summary: | Join filter arg being escaped. → Join filter string literal escaped, docs say it shouldn't |
Triage Stage: | Unreviewed → Accepted |
comment:2 by , 16 years ago
Component: | Documentation → Template system |
---|---|
Owner: | changed from | to
Status: | new → assigned |
Triage Stage: | Accepted → Design decision needed |
Argh. :-(
This is correct, but I wish it had of been filed under the right component so we might have noticed it in the lead up to 1.0. Fixing the join filter properly will be backwards incompatible in a unsafe way (if you haven't HTML-escaped the literal, it will appear as non-escaped if we change this). So we might just have to wear the inconsistency and document it.
I'll think about it.
comment:3 by , 16 years ago
Since the docs explicitly state that literals are safe data, I'd say this is a bug fix.
comment:4 by , 16 years ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
(In [9442]) Fixed #6948 -- The join filter was escaping the literal value that was
passed in for the connector. This was contrary to what the documentation
for autoescaping said and to what every other filter does with literal
strings as arguments.
This is backwards incompatible for the situation of the literal string
containing one of the five special HTML characters: if you were writing
{{ foo|join:"&" }}, you now have to write {{ foo| join:"&" }}.
Previous behaviour was, as noted, a bug and contrary to what was
documented and expected.
comment:5 by , 16 years ago
(In [9443]) [1.0.X] Fixed #6948 -- The join filter was escaping the literal value
that was passed in for the connector. This was contrary to what the
documentation for autoescaping said and to what every other filter does
with literal strings as arguments.
This is backwards incompatible for the situation of the literal string
containing one of the five special HTML characters: if you were writing
{{ foo|join:"&" }}, you now have to write {{ foo| join:"&" }}.
Previous behaviour was, as noted, a bug and contrary to what was
documented and expected.
Backport of r9442 from trunk.
Patch for join filter.