Re: code from database in template
-> <br>

Wed, 15 Apr 2009 05:46:29 -0700 

Just wanted to add, the danger is not if the data is coming
from the db, as all the data, more or less will come from the db.
The problem is if the user has made the input that was saved
to the db, like the username. Marking such content with the
safe tag would make it possible for evil minded users to destroy
your site.

~Jakob

On 15 Apr., 14:29, mag_dex <mag_...@o2.pl> wrote:
> sorry:
>
> <tr><td class="mini_th">Description:</td><td>{{  script.desc | safe }}
> </td></tr>
>
> no need to put   {% autoescape off %} in this second statement.
>
> On Apr 15, 3:28 pm, mag_dex <mag_...@o2.pl> wrote:
>
> > Thanks. I've been on that page but I just found
>
> >       {% autoescape off %}
> >       <tr><td class="mini_th">Description:</td><td>{{  script.desc }}</
> > td></tr>
> >       {% endautoescape %}
>
> > Using 'safe' it goes like:
>
> >       {% autoescape off %}
> >       <tr><td class="mini_th">Description:</td><td>{{  script.desc |
> > safe }}</td></tr>
> >       {% endautoescape %}
>
> > Data goes from the db (by but some stuff) so there is not risk.
>
> > Thanks again.
>
> > Wishes,
>
> > M.
>
> > On Apr 15, 2:15 pm, google torp <toppe...@gmail.com> wrote:
>
> > > Hi
> > > There is a page for all the django template 
> > > tags:http://docs.djangoproject.com/en/dev/ref/templates/builtins/
>
> > > Your problem is the auto escape, you can use "|safe" to mark something
> > > safe and it wont be escaped. Doing this for user submitted data is a
> > > bad idea though, so make sure you don't make your site vulnerable for
> > > attacks before use.
>
> > > ~Jakob
>
> > > On 15 Apr., 12:52, mag_dex <mag_...@o2.pl> wrote:
>
> > > > Hey,
>
> > > > I've gotten a following problem. I have stored some pieces of html
> > > > code in the database.
> > > > If the django renders html code it <br> is changed to &lt;br&gt;  ;(
> > > > I guess there is easy one to change behaviour of rendering but I can't
> > > > find it.
>
> > > > Any ideas?
>
> > > > M.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to