#26258: Jinja2 rendered templates are not safe by default
---------------------------------+--------------------
Reporter: tsouvarev | Owner: nobody
Type: Bug | Status: new
Component: Template system | Version: 1.9
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 1
Easy pickings: 0 | UI/UX: 0
---------------------------------+--------------------
Here are steps to reproduce:
- have Django 1.9
- make some `simple_tag` that renders Jinja2 template
- output it
Expected result:
- output is unescaped
What happens:
- output is escaped
With Django's templates everything works just fine, since it make
`mark_safe` in NodeList
In pre-1.9 versions it wasn't an issue, because `simple_tag` wasn't auto-
escaped by default
--
Ticket URL: <https://code.djangoproject.com/ticket/26258>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/052.b20e27e6e491fc3cb13b0f199bb84b73%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
