Re: Should Template.render() return a safe string?

2016-04-28 Thread Aymeric Augustin 
> On 28 Apr 2016, at 20:37, Carl Meyer  wrote:
> 
> I don't have a clear enough sense of the use-cases for
> autoescape-off to know what the behavior should be in that case. If the
> primary use case is "rendering a template that isn't destined for the
> browser anyway, so doesn't need to be safe", then I think it would be
> wrong to automatically mark that output as safe.

… which is what Django currently does. I’m leaning towards changing it.

Sadly it falls somewhere on a line between “nebulous security hardening”
and “gratuitous backwards incompatibility” :-(

-- 
Aymeric.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/696864AE-1E61-436B-8C29-7F18FD4AE269%40polytechnique.org.
For more options, visit https://groups.google.com/d/optout.

Re: Should Template.render() return a safe string?

2016-04-28 Thread Carl Meyer 
On 04/28/2016 11:46 AM, Aymeric Augustin wrote:
>> On 28 Apr 2016, at 19:30, Aymeric Augustin 
>>  wrote:
>>
>> It seems reasonable to assume that the result of rendering with
>> autoescaping enabled is HTML-safe — that’s the reason why
>> autoescaping exists.
> 
> Scratch that and let me try again:
> 
> It seems reasonable to assume that the result of rendering with
> autoescaping enabled is HTML-safe. The template is expected
> to be safe and values from the context were escaped before
> being interpolated into the template.
> 
> (This makes my argument a bit weaker but it still stands.)

Yes, that's convincing. I was thinking "we can't be sure of what a
template author might have done, so we should assume the output is
unsafe", but that's too cautious. With autoescape on, the assumption is
clearly that the output of the template render is supposed to be safe.
If someone uses |safe to bypass autoescape, they are asserting that
whatever they passed through it is also safe. So I think it's right to
mark the output safe, at least if autoescape is on.

Not sure about when autoescape is off. There's some advantage to making
the behavior simpler and always consistent regardless of the value of
autoescape. But I don't have a clear enough sense of the use-cases for
autoescape-off to know what the behavior should be in that case. If the
primary use case is "rendering a template that isn't destined for the
browser anyway, so doesn't need to be safe", then I think it would be
wrong to automatically mark that output as safe.

Carl

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/57225875.9080506%40oddbird.net.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: OpenPGP digital signature

Re: Should Template.render() return a safe string?

2016-04-28 Thread Aymeric Augustin 
> On 28 Apr 2016, at 19:30, Aymeric Augustin 
>  wrote:
> 
> It seems reasonable to assume that the result of rendering with
> autoescaping enabled is HTML-safe — that’s the reason why
> autoescaping exists.

Scratch that and let me try again:

It seems reasonable to assume that the result of rendering with
autoescaping enabled is HTML-safe. The template is expected
to be safe and values from the context were escaped before
being interpolated into the template.

(This makes my argument a bit weaker but it still stands.)

-- 
Aymeric.


-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/ED92EE2B-61F3-4E5C-A364-8CC23613D1C3%40polytechnique.org.
For more options, visit https://groups.google.com/d/optout.

Re: Should Template.render() return a safe string?

2016-04-28 Thread Aymeric Augustin 
Hi Carl,

> On 28 Apr 2016, at 19:08, Carl Meyer  wrote:
> 
> Given that both templating
> languages allow turning off autoescaping (or bypassing it in other
> ways), there's no a priori reason to believe that a string resulting
> from rendering a template is necessarily a safe string.

If we’re following this reasoning, perhaps we should consider the
result safe or unsafe according to whether autoescaping is on?

It seems reasonable to assume that the result of rendering with
autoescaping enabled is HTML-safe — that’s the reason why
autoescaping exists.

It's more cavalier to make this assumption when autoescaping
is disabled. I’m fine with letting developers who run without
escaping manage HTML-safety manually ;-)

In Django, autoescaping is a configuration setting of each
template backend, so we could fix the issue at this level.
That would mean calling mark_safe on Jinja2 when
autoescaping is enabled and mark_for_escaping on Django
when it’s disabled.

-- 
Aymeric.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/6A9B032F-13AD-4076-9DC3-77E813A29E72%40polytechnique.org.
For more options, visit https://groups.google.com/d/optout.

Re: Should Template.render() return a safe string?

2016-04-28 Thread Carl Meyer 
Hi Aymeric,

On 04/28/2016 11:02 AM, Aymeric Augustin wrote:
> I just stumbled upon an interesting difference between Jinja2 and the
> Django template language.
> 
> |Template.render()| returns a safe string in Django. It's likely an
> accident of the implementation more than a design choice. It happens
> because |NodeList.render()| calls |mark_safe()| on its output, even at
> the top level.
> 
> I believe that |Template.render()| doesn't return a safe string in
> Jinja2. To achieve this effect, one would have to wrap the return value
> here
> 
> in |Markup()|.
> 
> It's unclear to me that one behavior has significant advantages over the
> other. It would be nice to resolve this inconsistency because it can
> cause non-trivial bugs such as torchbox/wagtail#2541
> .

ISTM that Jinja2's behavior is preferable. Given that both templating
languages allow turning off autoescaping (or bypassing it in other
ways), there's no a priori reason to believe that a string resulting
from rendering a template is necessarily a safe string.

Carl

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/57224377.2000403%40oddbird.net.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: OpenPGP digital signature

Should Template.render() return a safe string?

2016-04-28 Thread Aymeric Augustin 
Hello,

I just stumbled upon an interesting difference between Jinja2 and the Django 
template language.

Template.render() returns a safe string in Django. It's likely an accident of 
the implementation more than a design choice. It happens because 
NodeList.render() calls mark_safe() on its output, even at the top level.

I believe that Template.render() doesn't return a safe string in Jinja2. To 
achieve this effect, one would have to wrap the return value here 

 in Markup().

It's unclear to me that one behavior has significant advantages over the other. 
It would be nice to resolve this inconsistency because it can cause non-trivial 
bugs such as torchbox/wagtail#2541 
.

What do you think?

-- 
Aymeric.

PS: I also brought up this question in an issue on Jinja2: pallets/jinja#576 
.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/8F39DEFA-7960-46FE-BEDA-205D9A421C0C%40polytechnique.org.
For more options, visit https://groups.google.com/d/optout.