I have created a new ticket for this issue for those interested. The ticket number is #10369
On 27 Feb., 03:36, Malcolm Tredinnick <[email protected]> wrote: > On Thu, 2009-02-26 at 01:11 -0800, Briel wrote: > > I stumbled upon this by accident, and after doing some research on the > > docs, it seems that there is a flaw with the translation template tags > > and the auto escaping. I might have missed something or maybe it's > > created to do this, so I'm posting here to figure out what's going on. > > > Anyways, the issue is that if I were to put {{ myvar }}, a user > > submitted variable, it will auto escaped so that harmful text like <> > > " ect will be escaped. However, if I put my var into a translation tag > > like > > > {% trans myvar %} or > > {% blocktrans %} this is {{ myvar }}{% endblocktrans %} > > > myvar will no longer be escaped, instead if a user would write some > > harmful js/html code, it would be run. I found that if you put the > > variables in blocktrans using with, it will be escaped: > > > {% blocktrans with myvar as myvar %}this is {{ myvar }}{% > > endblocktrans %} > > > I found this behavior a bit odd, but I might have missed something, so > > hoping some of you guys can help me clear up the use of the > > translation tags without making a site unsafe. > > Nice catch. These both look like bugs. If you could open a ticket for > them (put it in the internationalization category), they should be > fixed. > > Regards, > Malcolm --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
