On 04/28/2016 11:46 AM, Aymeric Augustin wrote: >> On 28 Apr 2016, at 19:30, Aymeric Augustin >> <aymeric.augus...@polytechnique.org> wrote: >> >> It seems reasonable to assume that the result of rendering with >> autoescaping enabled is HTML-safe — that’s the reason why >> autoescaping exists. > > Scratch that and let me try again: > > It seems reasonable to assume that the result of rendering with > autoescaping enabled is HTML-safe. The template is expected > to be safe and values from the context were escaped before > being interpolated into the template. > > (This makes my argument a bit weaker but it still stands.)
Yes, that's convincing. I was thinking "we can't be sure of what a template author might have done, so we should assume the output is unsafe", but that's too cautious. With autoescape on, the assumption is clearly that the output of the template render is supposed to be safe. If someone uses |safe to bypass autoescape, they are asserting that whatever they passed through it is also safe. So I think it's right to mark the output safe, at least if autoescape is on. Not sure about when autoescape is off. There's some advantage to making the behavior simpler and always consistent regardless of the value of autoescape. But I don't have a clear enough sense of the use-cases for autoescape-off to know what the behavior should be in that case. If the primary use case is "rendering a template that isn't destined for the browser anyway, so doesn't need to be safe", then I think it would be wrong to automatically mark that output as safe. Carl -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/57225875.9080506%40oddbird.net. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: OpenPGP digital signature