#2359: [patch] Auto-escaping template changes
---------------------------+------------------------------------------------
Reporter: mtredinnick | Owner: adrian
Status: new | Component: Template system
Version: | Resolution:
Keywords: | Stage: Design decision needed
Has_patch: 1 | Needs_docs: 0
Needs_tests: 0 | Needs_better_patch: 1
---------------------------+------------------------------------------------
Comment (by SmileyChris):
In the current patch, the example in documentation of `is_safe` isn't
actually safe - the value passed could be a "safe" string which contains a
unicode HTML attribute `'į'` so this filter ''will'' introduce a
dangerous character (`'&'`).
{{{
707 2. If your filter is given a "safe" string, is it
guaranteed to return a
708 "safe" string? If so, set the ``is_safe`` attribute on
the function to be
709 ``True``. For example, a filter that replaced all numbers
with the number
710 spelt out in words is going to be safe-string-preserving,
since it cannot
711 introduce any of the five dangerous characters: <, >, ",
' or &. So we can
712 write::
713
714 @register.filter
715 def convert_to_words(value):
716 # ... implementation here ...
717 return result
718
719 convert_to_words.is_safe = True
}}}
--
Ticket URL: <http://code.djangoproject.com/ticket/2359#comment:13>
Django Code <http://code.djangoproject.com/>
The web framework for perfectionists with deadlines
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---
