On Thu, 2009-02-26 at 01:11 -0800, Briel wrote:
> I stumbled upon this by accident, and after doing some research on the
> docs, it seems that there is a flaw with the translation template tags
> and the auto escaping. I might have missed something or maybe it's
> created to do this, so I'm posting here to figure out what's going on.
>
> Anyways, the issue is that if I were to put {{ myvar }}, a user
> submitted variable, it will auto escaped so that harmful text like <>
> " ect will be escaped. However, if I put my var into a translation tag
> like
>
> {% trans myvar %} or
> {% blocktrans %} this is {{ myvar }}{% endblocktrans %}
>
> myvar will no longer be escaped, instead if a user would write some
> harmful js/html code, it would be run. I found that if you put the
> variables in blocktrans using with, it will be escaped:
>
> {% blocktrans with myvar as myvar %}this is {{ myvar }}{%
> endblocktrans %}
>
> I found this behavior a bit odd, but I might have missed something, so
> hoping some of you guys can help me clear up the use of the
> translation tags without making a site unsafe.
Nice catch. These both look like bugs. If you could open a ticket for
them (put it in the internationalization category), they should be
fixed.
Regards,
Malcolm
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
