Re: Migrating into Django 1.9; question about autoescape

[Peter of the Norse]

This seems odd, because autoescaping has been on since almost the beginning.  
https://web.archive.org/web/20080826081214/http://docs.djangoproject.com:80/en/dev/topics/templates/#id2
  What actually changed with 1.9?

> On Feb 13, 2018, at 7:53 AM, Bill Torcaso  wrote:
> 
> 
> Hello all,
> 
> I have the task of migrating a very old website from Django 1.7 to either 
> Django 1.11 or 2.0, depending on the effort.
> 
> My plan is to go from 1.7 --> 1.8 --> 1.9 -->1.10 --> 1.11, adapting the 
> codebase as I go.  It's been easy enough until I arrive at 1.9, and the 
> change in template-rendering in which "autoescape" defaults to "on".
> 
> Now a lot of my payload is arriving at the browser with my HTML tags escaped. 
>  For example,
> 
>gets rendered asbutton
> 
> I have no argument with the autoescape-on default setting.  But I am unsure 
> how to proceed, and how large the effort will be.  As background, I am a 
> seasoned back-end programmer and a lightweight in HTML and template issues.
> 
> I see these alternatives.  Are there any others?
> 
> Get to the Template Engine object and set its autoescape attribute to "off".  
> This loses the protection that autoescape-on provides, restores the Django 
> 1.8 behavior, and let me proceed with the smallest amount of effort.
> 
> Is this the template engine I need?  "django.core.context_processors.request" 
>  And how do I get to the object?
> 
> Visit all of my HTML files and put "{% autoescape off %}" everywhere.
> 
> I put "{% autoescape off %}" in my base.html, and it partially solved the 
> problem.  But it did not get everything.
> 
> This is a medium amount of effort, and if I make a mistake the users will 
> have a bad experience.
> 
> Visit all of my code and all of my templates, carefully converting into the 
> world of autoescape-on.
> Thanks in advance,
> 
>   ---  Bill Torcaso

Peter of the Norse
rahmc...@radio1190.org



-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/41307A5D-0AEB-4EAF-A9E9-DE93739A1281%40Radio1190.org.
For more options, visit https://groups.google.com/d/optout.

RE: Migrating into Django 1.9; question about autoescape

[Matthew Pava]

At first, I would do your step 1.  I would check for any other errors in Django 
1.8, and then proceed with updating to 1.9 -> 1.10 -> 1.11 -> 2.0.  You are 
probably going to find other issues that need to be resolved in those upgrades. 
 Ultimately, you will probably have to do step 3.  I wouldn’t do step 2 since 
you’ll be updating all of your templates.  If you are going to update all your 
templates, you might as well just do step 3.

From: django-users@googlegroups.com [mailto:django-users@googlegroups.com] On 
Behalf Of Bill Torcaso
Sent: Tuesday, February 13, 2018 8:54 AM
To: Django users
Subject: Migrating into Django 1.9; question about autoescape


Hello all,

I have the task of migrating a very old website from Django 1.7 to either 
Django 1.11 or 2.0, depending on the effort.

My plan is to go from 1.7 --> 1.8 --> 1.9 -->1.10 --> 1.11, adapting the 
codebase as I go.  It's been easy enough until I arrive at 1.9, and the change 
in template-rendering in which "autoescape" defaults to "on".

Now a lot of my payload is arriving at the browser with my HTML tags escaped.  
For example,

   gets rendered asbutton

I have no argument with the autoescape-on default setting.  But I am unsure how 
to proceed, and how large the effort will be.  As background, I am a seasoned 
back-end programmer and a lightweight in HTML and template issues.

I see these alternatives.  Are there any others?


  1.  Get to the Template Engine object and set its autoescape attribute to 
"off".  This loses the protection that autoescape-on provides, restores the 
Django 1.8 behavior, and let me proceed with the smallest amount of effort.

Is this the template engine I need?  "django.core.context_processors.request"  
And how do I get to the object?
  2.  Visit all of my HTML files and put "{% autoescape off %}" everywhere.

I put "{% autoescape off %}" in my base.html, and it partially solved the 
problem.  But it did not get everything.

This is a medium amount of effort, and if I make a mistake the users will have 
a bad experience.
  3.  Visit all of my code and all of my templates, carefully converting into 
the world of autoescape-on.
Thanks in advance,

  ---  Bill Torcaso
--
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to 
django-users+unsubscr...@googlegroups.com.
To post to this group, send email to 
django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/ada6d206-7daa-4c9f-a124-dab988909093%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/123bf571f5b84231902c20fa64d1a512%40ISS1.ISS.LOCAL.
For more options, visit https://groups.google.com/d/optout.