Re: Should string constants in template filters should be marked safe?

Thu, 15 Nov 2007 04:53:23 -0800 


On Thu, 2007-11-15 at 10:44 +0100, Michael Radziej wrote:
> On Wed, Nov 14, SmileyChris wrote:
> 
> > 
> > Just noticed an escaped string in my template due to:
> > 
> > {{ image.caption|default:"<em class='faded'>No caption</em>" }}
> > 
> > It seems like to me that we should trust that string constants in
> > template variable tags are safe since they are directly in the
> > template author's realm, yes?
> > 
> > The only way I could figure out how to get around this while still
> > using the default tag is super messy:
> > 
> > {% with "<em class='faded'>No caption</em>" as default %}
> > {% with default|safe as default %}
> > {{ image.caption|default:default }}
> > {% endwith %}
> > {% endwith %}
> 
> It took a while for me to understand the trick. Brrrr ...
> 
> I thought shortly about whether it was a good idea to check translations,
> but actually the main reason for auto-escaping is to stop XSS attacks. It's
> probably reasonable to trust your translators. They might introduce buggy
> html, but won't put malicious javascript code in their translations.
> 
> ==> let's treat string literals in templates as safe.

If it were that simple, it'd be fixed by now. :-)

Your logic is right as far as it goes, unfortunately, there is a problem
with message instruction. If the same string appears in two templates,
it will only appear once in the PO file. However, that doesn't work if
one of the templates is an HTML template and the other one isn't
(because the translation would be written differently in each case) and
we have no reliable way of telling when that case arises.

I need to experiment a bit to work out how to help translators in that
case. When I get a chance to look at this later on this evening, I'll do
some experiments.

Malcolm

-- 
If Barbie is so popular, why do you have to buy her friends? 
http://www.pointy-stick.com/blog/


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to