#34581: Filters should not implicitly mark unsafe strings as safe without
escaping
-------------------------------------+-------------------------------------
Reporter: Shai Berger | Owner:
Type: | omerimzali
Cleanup/optimization | Status: assigned
Component: Template system | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Shai Berger):
Replying to [comment:8 omerimzali]:
>
> For Join filter:
> First case: Totally safe inputs the list members and the joiner are
safe, it will be produce safe output. (There's no unsafe input and there
no need to escape in anyway so it doesn't contain any of our conditions)
> Second case: When it has any of its inputs (the list members and the
joiner) are safe but also some of the inputs are unsafe, it still needs to
produce safe output.
> Third case: All of the inputs are unsafe, it can produce unsafe output.
>
Correct.
> For Second case, we have 3 conditions to check:
> [...]
> - the context is such that it should not escape the input: How can we be
sure it should not escape the input? is {% autoescape off %} line enough
to assume this? Could be any other configurations or common behaviours for
some of the filters to not escape the input?
>
Please see the details about {{{needs_autoescape}}}
[https://docs.djangoproject.com/en/4.2/howto/custom-template-tags
/#filters-and-auto-escaping here].
> If we check this 3 conditions it should error out.
>
> And for the 3rd case, if all of the inputs are unsafe, it doesn't need
to produce a safe ouput so source doesn't need to error out. Is it
correct?
>
Right. No need to error, and if autoescape is off, there's no need to
escape. If autoescape is on, though, I would still escape the output even
when all inputs are unsafe -- so that in the majority of cases, there is
no change in behavior.
--
Ticket URL: <https://code.djangoproject.com/ticket/34581#comment:9>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/0107018b00d58fc1-d212d3d2-66ba-4dac-b5c1-f074bc5d1b60-000000%40eu-central-1.amazonses.com.
