Code


Version 1 (modified by SmileyChris, 8 years ago) (diff)

--

The current AutoEscaping proposal has met arguments on several fronts:

  • Too magic
  • Too implicit
  • HTML escaping only

This alternative proposal attempts to provide a concise solution that answers these arguments:

Suggested Solution

Escaping only matters for VariableNodes ({{ object.name }} tags). A filter is usually applied to each of these nodes. The straight-forward solution is to provide a block tag which can automatically add filters (for html escaping, |escape) to any variable tag defined within the block.

The solution is to provide a {% finalfilter %} block tag.

If a tag has already been "finalized" in the view (ie. it doesn't need the filters added to it), a specific new filter |finalized can be added to that variable tag.

If a tag explictly already uses the filter, it will not be added again.

Not too magic

There is no magical code hidden underneath to worry about. All that's happening is one or more common filters are being applied automatically to every variable tag defined within the finalfilter block.

Not too implicit

The template author has to use it explicitly. It does work across {% extend %}ed pages however, but some amount of implicitness is required for this to be a useful tag.

Not just HTML escaping

Any filter can be used with the finalfilter tag.

Example

base.html:

{% load filtertags %}
{% finalfilter escape %}
<head>
<title>Test Escaping</title>
</head>

<body>
<div id="content">
{% block content %}{% endblock %}
</div>
</body>
</html>
{% endfinalfilter %}

index.html:

{% extends "base.htm" %}

{% block content %}
<h1>{% object.title %}</h1>
<p>{% object.details %}</p>
{% endblock %}

edit.html

{% extends "base.html" %}

{% block content %}
<h1>Edit {% object.title %}</h1>
{% finalfilter finalized %}
<p><label for="id_title">Title</label> {{ form.title }}</p>
<p><label for="id_details">Details</label> {{ form.details }}</p>
{% endfinalfilter %}
{% endblock %}

Attachments (2)

Download all attachments as: .zip