| | 1 | The current AutoEscaping proposal has met arguments on several fronts: |
| | 2 | |
| | 3 | * Too magic |
| | 4 | * Too implicit |
| | 5 | * HTML escaping only |
| | 6 | |
| | 7 | This alternative proposal attempts to provide a concise solution that answers these arguments: |
| | 8 | |
| | 9 | = Suggested Solution = |
| | 10 | |
| | 11 | Escaping only matters for !VariableNodes (`{{ object.name }}` tags). A filter is usually applied to each of these nodes. |
| | 12 | The straight-forward solution is to provide a block tag which can automatically add filters (for html escaping, `|escape`) to any variable tag defined within the block. |
| | 13 | |
| | 14 | '''The solution is to provide a `{% finalfilter %}` block tag'''. |
| | 15 | |
| | 16 | If a tag has already been "finalized" in the view (ie. it doesn't need the filters added to it), a specific new filter `|finalized` can be added to that variable tag. |
| | 17 | |
| | 18 | If a tag explictly already uses the filter, it will not be added again. |
| | 19 | |
| | 20 | == Not too magic == |
| | 21 | |
| | 22 | There is no magical code hidden underneath to worry about. All that's happening is one or more common filters are being applied automatically to every variable tag defined within the `finalfilter` block. |
| | 23 | |
| | 24 | == Not too implicit == |
| | 25 | |
| | 26 | The template author has to use it explicitly. It ''does'' work across `{% extend %}`ed pages however, but some amount of implicitness is required for this to be a useful tag. |
| | 27 | |
| | 28 | == Not just HTML escaping == |
| | 29 | |
| | 30 | Any filter can be used with the `finalfilter` tag. |
| | 31 | |
| | 32 | = Example = |
| | 33 | |
| | 34 | `base.html`: |
| | 35 | |
| | 36 | {{{ |
| | 37 | {% load filtertags %} |
| | 38 | {% finalfilter escape %} |
| | 39 | <head> |
| | 40 | <title>Test Escaping</title> |
| | 41 | </head> |
| | 42 | |
| | 43 | <body> |
| | 44 | <div id="content"> |
| | 45 | {% block content %}{% endblock %} |
| | 46 | </div> |
| | 47 | </body> |
| | 48 | </html> |
| | 49 | {% endfinalfilter %} |
| | 50 | }}} |
| | 51 | |
| | 52 | `index.html`: |
| | 53 | {{{ |
| | 54 | {% extends "base.htm" %} |
| | 55 | |
| | 56 | {% block content %} |
| | 57 | <h1>{% object.title %}</h1> |
| | 58 | <p>{% object.details %}</p> |
| | 59 | {% endblock %} |
| | 60 | }}} |
| | 61 | |
| | 62 | `edit.html` |
| | 63 | {{{ |
| | 64 | {% extends "base.html" %} |
| | 65 | |
| | 66 | {% block content %} |
| | 67 | <h1>Edit {% object.title %}</h1> |
| | 68 | {% finalfilter finalized %} |
| | 69 | <p><label for="id_title">Title</label> {{ form.title }}</p> |
| | 70 | <p><label for="id_details">Details</label> {{ form.details }}</p> |
| | 71 | {% endfinalfilter %} |
| | 72 | {% endblock %} |
| | 73 | }}} |