2011/3/10 Thiago Carvalho D' Ávila <[email protected]>:
> Oh, thanks a lot. That worked, but now I have one more doubt...
>
> What are the security issues related to the use of safe variable? When can I
> consider it safe? Is it possible to make some kind of injection using it
> this way? Is autoescape a better option?
>
They are all variants of the same thing. These are all equivalent:
{{ foo|safe }}
{% autoescape off %}
{{ foo }}
{% endautoescape %}
from django.utils.safestring import mark_safe
return render_to_response('...', { 'foo': mark_safe(foo) })
They are all equally vulnerable to injection. If you mark a string as
safe, it disables automatic output escaping, and if the string or a
portion of the string is user controlled, then that is an injection
vector, which is why Gennadiy suggested not building the HTML in the
view.
Cheers
Tom
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
