[Django] #29602: Django 2.0 breaks interop with Jinja2 forceescape filter

Thu, 26 Jul 2018 16:17:49 -0700 

#29602: Django 2.0 breaks interop with Jinja2 forceescape filter
-------------------------------------------+------------------------
               Reporter:  Richard Eames    |          Owner:  nobody
                   Type:  Bug              |         Status:  new
              Component:  Template system  |        Version:  2.0
               Severity:  Normal           |       Keywords:
           Triage Stage:  Unreviewed       |      Has patch:  0
    Needs documentation:  0                |    Needs tests:  0
Patch needs improvement:  0                |  Easy pickings:  0
                  UI/UX:  0                |
-------------------------------------------+------------------------
 Not sure if this is a Django bug, jinja bug, or something I need to change
 for upgrading to Django 2.0, but since it was a Django commit causes it,
 I'm reporting here first.

 I recently upgraded to Django 2.0, and shortly after had a complaint from
 one of our users about a page not displaying correctly. I tracked down the
 issue to a usage of Jinja's `forceescape` filter.

 My usage is that we're displaying a preview of an email that will be sent
 out, and we do this by using the `srcdoc` attribute of iframe, so our code
 looks like:

 {{{
 <iframe srcdoc="{{ rendered_email | forceescape }}"></iframe>
 }}}

 The `rendered_email` variable is from a call to
 `get_template(template_name).render(ctx)`, which returns a `SafeString`
 object. Which makes sense since a rendered template should be html. And
 since I want to  display the email inside of html again, it needs to be
 re-escape, logically with the `forceescape` filter.

 However, a change from [https://code.djangoproject.com/ticket/27795 this
 
ticket]/[https://github.com/django/django/commit/ccfd1295f986cdf628d774937d0b38a14584721f
 #diff-58d9f7a5099962dc591a93a47a671b72 this commit] causes the
 `forceescape` filter to fail on the jinja side. `forcescape` calls `str()`
 on it's argument to remove the "safety", then re-escapes it, however, the
 aforementioned commit allow `SafeString` to bypass the assumption that
 jinja makes when calling `str()`.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/29602>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/051.b27e9964fb9052f286890a1633a0e2ca%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to