#26258: Jinja2 rendered templates are not safe by default ---------------------------------+-------------------------------------- Reporter: tsouvarev | Owner: nobody Type: Bug | Status: new Component: Template system | Version: 1.9 Severity: Normal | Resolution: Keywords: | Triage Stage: Unreviewed Has patch: 1 | Needs documentation: 0 Needs tests: 0 | Patch needs improvement: 0 Easy pickings: 0 | UI/UX: 0 ---------------------------------+--------------------------------------
Comment (by tsouvarev): Replying to [comment:1 timgraham]: > Is there a problem if you follow [https://docs.djangoproject.com/en/stable/releases/1.9/#simple-tag-now- wraps-tag-output-in-conditional-escape the rules in the 1.9 release notes] for marking the output of your template tag as safe? Thing is, problem templatetag is `admin_list_filter` inside Django's admin. We have list filter that renders via Jinja2 template, so this issue raises > I didn't look in detail at the consequences of your proposed patch, but from a quick glance, I don't see the rationale for considering all rendering of `Template` safe. A regression test to demonstrate the fix would also be required. Django's considering it's own templates as safe, so why not consider Jinja's templates safe as well? But, of course, you may come with better solution. -- Ticket URL: <https://code.djangoproject.com/ticket/26258#comment:2> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To post to this group, send email to django-updates@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/067.5f3ad98e002fbb04b2d97d25898e7d2e%40djangoproject.com. For more options, visit https://groups.google.com/d/optout.