Re: [Django] #24469: forms, form fields and media are escaped wrongfully in non django templates

[Django]

#24469: forms, form fields and media are escaped wrongfully in non django 
templates
-+-
 Reporter:  MoritzS  |Owner:  aaugustin
 Type:  Bug  |   Status:  assigned
Component:  Template system  |  Version:  1.8beta2
 Severity:  Release blocker  |   Resolution:
 Keywords:  forms fields media   | Triage Stage:  Ready for
  escape template jinja2 |  checkin
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Tim Graham ):

 In [changeset:"571e093a258b00b25c24481af7acf0d0a034ec8c" 571e093a]:
 {{{
 #!CommitTicketReference repository=""
 revision="571e093a258b00b25c24481af7acf0d0a034ec8c"
 [1.8.x] Refs #24469 -- Fixed escaping of forms, fields, and media in non-
 Django templates.

 Backport of 6bff3439894ac22d80f270f36513fc86586273f3 from master
 }}}

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/065.3459eeb9255cda8555ee3ee9708e2867%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #24469: forms, form fields and media are escaped wrongfully in non django templates

[Django]

#24469: forms, form fields and media are escaped wrongfully in non django 
templates
-+-
 Reporter:  MoritzS  |Owner:  aaugustin
 Type:  Bug  |   Status:  assigned
Component:  Template system  |  Version:  1.8beta2
 Severity:  Release blocker  |   Resolution:
 Keywords:  forms fields media   | Triage Stage:  Ready for
  escape template jinja2 |  checkin
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Tim Graham ):

 In [changeset:"6bff3439894ac22d80f270f36513fc86586273f3" 6bff343]:
 {{{
 #!CommitTicketReference repository=""
 revision="6bff3439894ac22d80f270f36513fc86586273f3"
 Refs #24469 -- Fixed escaping of forms, fields, and media in non-Django
 templates.
 }}}

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/065.8f3036b24927fb4fa113dc721ba352ff%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #24469: forms, form fields and media are escaped wrongfully in non django templates

[Django]

#24469: forms, form fields and media are escaped wrongfully in non django 
templates
-+-
 Reporter:  MoritzS  |Owner:  aaugustin
 Type:  Bug  |   Status:  assigned
Component:  Template system  |  Version:  1.8beta2
 Severity:  Release blocker  |   Resolution:
 Keywords:  forms fields media   | Triage Stage:  Ready for
  escape template jinja2 |  checkin
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by aaugustin):

 I'm fine with the patch as is. Let's commit it rather than delay RC1.

 Like I said on IRC, generally speaking, I'm wondering if adding this
 `__html__` method on a case by case basis to some classes is the best idea
 in the long run.

 Can we identify every class whose `__str__` method returns a `SafeStr`? If
 there's three of them, perhaps the ad-hoc method is fine. If there's
 seventeen, then it's a different story.

 Turning it into a mixin wouldn't save much code, would add a layer of
 indirection and a small overhead, but it would also allow us to provide a
 docstring.

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/065.7383e735f89abf7ff212089191c99ab2%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #24469: forms, form fields and media are escaped wrongfully in non django templates

[Django]

#24469: forms, form fields and media are escaped wrongfully in non django 
templates
-+-
 Reporter:  MoritzS  |Owner:  aaugustin
 Type:  Bug  |   Status:  assigned
Component:  Template system  |  Version:  1.8beta2
 Severity:  Release blocker  |   Resolution:
 Keywords:  forms fields media   | Triage Stage:  Ready for
  escape template jinja2 |  checkin
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by timgraham):

 * stage:  Accepted => Ready for checkin


Comment:

 Pending Aymeric's review.

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/065.c93cf1a545171c447eb43f5d3eeeccfd%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #24469: forms, form fields and media are escaped wrongfully in non django templates

[Django]

#24469: forms, form fields and media are escaped wrongfully in non django 
templates
-+-
 Reporter:  MoritzS  |Owner:  aaugustin
 Type:  Bug  |   Status:  assigned
Component:  Template system  |  Version:  1.8beta2
 Severity:  Normal   |   Resolution:
 Keywords:  forms fields media   | Triage Stage:
  escape template jinja2 |  Unreviewed
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by aaugustin):

 Thanks a lot for doing this research. That's the reason I suspected, but I
 wasn't sure.

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/065.64314156465e55913d7a3375f347b8e8%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #24469: forms, form fields and media are escaped wrongfully in non django templates

[Django]

#24469: forms, form fields and media are escaped wrongfully in non django 
templates
-+-
 Reporter:  MoritzS  |Owner:  aaugustin
 Type:  Bug  |   Status:  assigned
Component:  Template system  |  Version:  1.8beta2
 Severity:  Release blocker  |   Resolution:
 Keywords:  forms fields media   | Triage Stage:  Accepted
  escape template jinja2 |
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by aaugustin):

 * severity:  Normal => Release blocker
 * stage:  Unreviewed => Accepted


--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/065.3a0fcf17f48c56ca2d5793a136414af0%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #24469: forms, form fields and media are escaped wrongfully in non django templates

[Django]

#24469: forms, form fields and media are escaped wrongfully in non django 
templates
-+-
 Reporter:  MoritzS  |Owner:  aaugustin
 Type:  Bug  |   Status:  assigned
Component:  Template system  |  Version:  1.8beta2
 Severity:  Normal   |   Resolution:
 Keywords:  forms fields media   | Triage Stage:
  escape template jinja2 |  Unreviewed
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by MoritzS):

 I looked into django's and jinja2's template code and found out what the
 problem is:

 The django template engine calls
 `django.template.base.render_value_in_context` for each variable. There
 the object gets converted to a string with `force_text`. That just calls
 `__str__` or `__unicode__` of the object and correctly gets a `SafeText`.

 jinja2 however doesn't use `force_text` or `str()`, it uses `escape` from
 the markupsafe library.
 Markupsafe then sees that the form, field or media doesn't have a
 `__html__` method so it decides to mark it unsafe and escape the html
 characters.

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/065.201314dfeee47770f53bfe1610285ff4%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #24469: forms, form fields and media are escaped wrongfully in non django templates

[Django]

#24469: forms, form fields and media are escaped wrongfully in non django 
templates
-+-
 Reporter:  MoritzS  |Owner:  aaugustin
 Type:  Bug  |   Status:  assigned
Component:  Template system  |  Version:  1.8beta2
 Severity:  Normal   |   Resolution:
 Keywords:  forms fields media   | Triage Stage:
  escape template jinja2 |  Unreviewed
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by aaugustin):

 * owner:  MoritzS => aaugustin


--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/065.07b77cf655a29b3e507b8eee13486194%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #24469: forms, form fields and media are escaped wrongfully in non django templates

[Django]

#24469: forms, form fields and media are escaped wrongfully in non django 
templates
-+-
 Reporter:  MoritzS  |Owner:  MoritzS
 Type:  Bug  |   Status:  assigned
Component:  Template system  |  Version:  1.8beta2
 Severity:  Normal   |   Resolution:
 Keywords:  forms fields media   | Triage Stage:
  escape template jinja2 |  Unreviewed
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by MoritzS):

 * has_patch:  0 => 1


Comment:

 The pull request contains a regression test and the `__html__` methods for
 Form, BoundField and Media.

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/065.b5cdacdf0a0d617f66126a12c5e46d13%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #24469: forms, form fields and media are escaped wrongfully in non django templates

[Django]

#24469: forms, form fields and media are escaped wrongfully in non django 
templates
-+-
 Reporter:  MoritzS  |Owner:  MoritzS
 Type:  Bug  |   Status:  assigned
Component:  Template system  |  Version:  1.8beta2
 Severity:  Normal   |   Resolution:
 Keywords:  forms fields media   | Triage Stage:
  escape template jinja2 |  Unreviewed
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by MoritzS):

 * status:  new => assigned
 * needs_better_patch:   => 0
 * owner:  nobody => MoritzS
 * needs_tests:   => 0
 * needs_docs:   => 0


--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/065.79b7f712087fa590efc2971fcc7dc5d2%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

[Django] #24469: forms, form fields and media are escaped wrongfully in non django templates

[Django]

#24469: forms, form fields and media are escaped wrongfully in non django 
templates
-+-
 Reporter:  MoritzS  |  Owner:  nobody
 Type:  Bug  | Status:  new
Component:   |Version:  1.8beta2
  Template system|   Keywords:  forms fields media escape template
 Severity:  Normal   |  jinja2
 Triage Stage:   |  Has patch:  0
  Unreviewed |
Easy pickings:  0|  UI/UX:  0
-+-
 Django uses `django.utils.safestring` for marking strings as escaped. This
 prevents already escaped text to be escaped again.
 It also uses the `__html__` magic method used by many other web
 frameworks.

 However the information about a string being safe won't be carried on if
 an object gets converted to a string.
 This mostly happens with forms, form fields an the `Media` class.
 The django template backend "knows" about them so it doesn't escape them,
 however that's not the case with any other backend.

 For example
 {{{
   {{ my_form.my_field }}}
 }}}
 will be rendered as
 {{{
   
 }}}
 when using jinja2 backend.

 In my opinion the best way to fix this is to add `__html__` methods to the
 classes that should not be escaped.

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/050.67a30103d6b262300f913cb0b52d221f%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.