#14125: 'Safe strings' are not force-escaped on development 500 page
-----------------------------------+----------------------------------------
Reporter: elijahr | Owner: nobody
Status: new | Milestone:
Component: Uncategorized | Version: SVN
Keywords: debug.py 500 escape | Stage: Unreviewed
Has_patch: 1 | Needs_docs: 0
Needs_tests: 0 | Needs_better_patch: 0
-----------------------------------+----------------------------------------
In the 'Local vars' section of the debugging 500 error page, strings that
have been 'marked safe' are not escaped before output, which has often
resulted in HTML from my variables being inserted into the page.
While using 'mark_safe' on a string variable indicates that the string
should not be escaped further, I think an exception should be made for the
debugging 500 page, based on my assumption that most developers would
rather see a string's value than the resultant HTML elements.
I have attached a patch that uses 'force_escape' in lieu of 'escape'.
--
Ticket URL: <http://code.djangoproject.com/ticket/14125>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
