I stumbled upon this by accident, and after doing some research on the
docs, it seems that there is a flaw with the translation template tags
and the auto escaping. I might have missed something or maybe it's
created to do this, so I'm posting here to figure out what's going on.
Anyways, the issue is that if I were to put {{ myvar }}, a user
submitted variable, it will auto escaped so that harmful text like <>
" ect will be escaped. However, if I put my var into a translation tag
like
{% trans myvar %} or
{% blocktrans %} this is {{ myvar }}{% endblocktrans %}
myvar will no longer be escaped, instead if a user would write some
harmful js/html code, it would be run. I found that if you put the
variables in blocktrans using with, it will be escaped:
{% blocktrans with myvar as myvar %}this is {{ myvar }}{%
endblocktrans %}
I found this behavior a bit odd, but I might have missed something, so
hoping some of you guys can help me clear up the use of the
translation tags without making a site unsafe.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
