#26258: Jinja2 rendered templates are not safe by default
---------------------------------+--------------------------------------
Reporter: tsouvarev | Owner: nobody
Type: Bug | Status: new
Component: Template system | Version: 1.9
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
---------------------------------+--------------------------------------
Comment (by tsouvarev):
Replying to [comment:1 timgraham]:
> Is there a problem if you follow
[https://docs.djangoproject.com/en/stable/releases/1.9/#simple-tag-now-
wraps-tag-output-in-conditional-escape the rules in the 1.9 release notes]
for marking the output of your template tag as safe?
Thing is, problem templatetag is `admin_list_filter` inside Django's
admin. We have list filter that renders via Jinja2 template, so this issue
raises
> I didn't look in detail at the consequences of your proposed patch, but
from a quick glance, I don't see the rationale for considering all
rendering of `Template` safe. A regression test to demonstrate the fix
would also be required.
Django's considering it's own templates as safe, so why not consider
Jinja's templates safe as well? But, of course, you may come with better
solution.
--
Ticket URL: <https://code.djangoproject.com/ticket/26258#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/067.5f3ad98e002fbb04b2d97d25898e7d2e%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
