Code

Opened 6 years ago

Closed 6 years ago

Last modified 3 years ago

#7544 closed (fixed)

Documentation mistake when using an escaping example

Reported by: lukejackson Owned by: garcia_marc
Component: Documentation Version: master
Severity: Keywords: template escape safe
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

On: http://www.djangoproject.com/documentation/templates/, it gives an example of a string that you definitely need to escape:

{{ data|default:"3 > 2" }} <-- Bad! Don't do this.

However, the > symbol doesn't need to be escaped outside of the inner contents of a tag. Perhaps a better example would be the < character.

The documentation is great, btw, very easy to read and accessible.

Attachments (2)

index.html (375 bytes) - added by garcia_marc 6 years ago.
Testing file for html validation
7544.diff (485 bytes) - added by garcia_marc 6 years ago.
Patch with a better example on documentation.

Download all attachments as: .zip

Change History (8)

comment:1 Changed 6 years ago by lukejackson

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

Changed 6 years ago by garcia_marc

Testing file for html validation

comment:2 Changed 6 years ago by garcia_marc

  • milestone set to 1.0
  • Owner changed from nobody to garcia_marc
  • Triage Stage changed from Unreviewed to Accepted

I couldn't found any documentation about it, but I tried attached file on http://validator.w3.org/ and ticket report is correct, so validator only complains for lesser than character, not greater than.

Changed 6 years ago by garcia_marc

Patch with a better example on documentation.

comment:3 Changed 6 years ago by garcia_marc

  • Has patch set
  • Summary changed from Small suggestion for template example change to Documentation mistake when using an escaping example
  • Triage Stage changed from Accepted to Ready for checkin

Documentation modified for using an example that actually isn't correct.

Definitely, Django is a web framework for perfectionists... ;)

comment:4 Changed 6 years ago by mtredinnick

There's actually nothing wrong with this example. It's a fragment of a template and what's to say it isn't wrapped in a tag in the rest of the template? It would also be bad practice to leave the "<" unescaped, since if you later did end up wrapping it inside something that needed it to be escaped, you would introduce problems.

comment:5 Changed 6 years ago by mtredinnick

  • Resolution set to fixed
  • Status changed from new to closed

(In [7811]) Changed a documentation example that wasn't wrong to stop complaints.

Fixed #7544.

comment:6 Changed 3 years ago by jacob

  • milestone 1.0 deleted

Milestone 1.0 deleted

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.