Re: [Django] #15365: if the restructuredtext markup is meant to be safe (I cannot see anything to say if it is or isn't... :/) ...

Mon, 21 Feb 2011 04:32:42 -0800 

#15365: if the restructuredtext markup is meant to be safe (I cannot see 
anything
to say if it is or isn't... :/) ...
-------------------------------------------------+--------------------------
               Reporter:  db.pub.mail@…          |         Owner:  nobody
                 Status:  new                    |     Milestone:  1.3   
              Component:  Documentation          |       Version:  1.2   
             Resolution:                         |      Keywords:        
           Triage Stage:  Accepted               |     Has patch:  0     
    Needs documentation:  0                      |   Needs tests:  0     
Patch needs improvement:  0                      |  
-------------------------------------------------+--------------------------
Changes (by russellm):

  * needs_docs:  => 0
  * needs_better_patch:  => 0
  * component:  Contrib apps => Documentation
  * needs_tests:  => 0
  * stage:  Unreviewed => Accepted


Comment:

 Firstly, if you even *suspect* that you have found a potential issue,
 *PLEASE* don't report it through Trac. Mail [email protected]
 with full details of the problem you think you have found.

 As for the ticket itself:

 The output of markup filters *must* be marked as safe strings --
 otherwise, you wouldn't be able to print the HTML markup that they
 produce.

 Whether the input has itself been sanitized is entirely up to your
 application.

 I'm not entirely sure what you expect Django to be able to do in the case
 of the example you provide. The input isn't HTML, so there's nothing that
 Django could identify as requiring an escape.  We can't automatically
 escape the < and >, because that would render the markup invalid, and reST
 would fail. Ultimately, you've provided correctly marked up input that
 will be interpreted as,

 I think the best we can hope to do here is beef up the documentation
 warning of the potential hazards associated with using markup.

-- 
Ticket URL: <http://code.djangoproject.com/ticket/15365#comment:1>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Reply via email to