On Oct 30, 6:58 am, Rajesh Dhawan <[EMAIL PROTECTED]> wrote:
> On Oct 30, 1:30 am, shabda <[EMAIL PROTECTED]> wrote:
>
> > So if these built in filters are marking my strings safe, inspite of
> > unsafe data being passed in, should they not handle escaping as well?
>
> The problem seems to be that your filter function doesn't mark itself
> with an is_safe attribute (defaulting it to False). So try marking
> your filter with is_safe=True which means that your filter doesn't
> introduce any HTML unsafe characters by itself (not including the ones
> that are already in the input):
>
> filterxx.is_safe = True
>
> Also, it's easier for people to follow a discussion thread if you
> don't top post your responses.
>
> -RD
I don't think setting is_safe is the solution, in fact is sounds like
the exact opposite. Shabda *wants* Django to escape the results.
Instead, try calling django.utils.html.escape() in your filterxx like
so:
return linebreaks(urlize(escape(data.value)))
This will replace <,>,&,etc with the <, >, &, etc.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
