Opened 15 years ago

Closed 15 years ago

#9700 closed (wontfix)

join filter can't be used with 'safe' filter anymore

Reported by: Thomas Capricelli Owned by: nobody
Component: Template system Version: dev
Severity: Keywords: join
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


usecase: lists = [ '<a href="asdfa">asdfasd</a>", '<a href="asdfa">asdfasd</a>",
'<a href="asdfa">asdfasd</a>"], is sent to a template, which does

{{lists|join:", "|safe}}

Until recently the output was a list of links on the webpage. Not anymore, now the html is escaped and "<a href..." is displayed on the webpage. The commit that broke it is r9442.

I dont understand it enough to guess if this new behaviour is expected, or a bug/regression.

(of course, in this example, i can do the join in python before calling the template).

Change History (1)

comment:1 by Malcolm Tredinnick, 15 years ago

Resolution: wontfix
Status: newclosed

The current behaviour is correct; the previous behaviour was broken. This is a consequence of r9442, wherein the join filter wasn't handling autoescaping of the joining value properly. So join has to do escaping of unsafe strings internally (this is the same as other filters that act on lists).

You'll need to mark the strings you're passing in as safe strings (or write a filter that applies the safe filter to each element of a list and apply that before the join filter) in order to get the previous behaviour.

Sorry about that, but it's really unavoidable, since join has to be able to work with things like "&" as the joiner, hence return a safe string, hence do escaping itself, if autoescaping is available.

I've open #9701 to remind me to think about whether adding a safe-like filter that applies elementwise to a list has any big downsides and is worth it. There isn't an enormous use-case for it, but it might not hurt.

Note: See TracTickets for help on using tickets.
Back to Top