Re: [Django] #33405: Documentation for template filter 'escapejs' is extremely unclear

[Django]

#33405: Documentation for template filter 'escapejs' is extremely unclear
-+-
 Reporter:  Jon Ribbens  |Owner:  Jon
 Type:   |  Ribbens
  Cleanup/optimization   |   Status:  closed
Component:  Documentation|  Version:  dev
 Severity:  Normal   |   Resolution:  fixed
 Keywords:   | Triage Stage:  Ready for
 |  checkin
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Mariusz Felisiak ):

 In [changeset:"e54f711d4287b3ea57026a02b48ab7e28ca6dcc1" e54f711]:
 {{{
 #!CommitTicketReference repository=""
 revision="e54f711d4287b3ea57026a02b48ab7e28ca6dcc1"
 [4.2.x] Fixed #33405, Refs #7177 -- Clarified docs for filter escapejs
 regarding safe and unsafe usages.

 Backport of adfb3dfa89b62ee0c838a64d3d480c03dd3ec869 from main
 }}}

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/010701891b9beafe-64c1c762-7c07-4802-a949-5f7f032de404-00%40eu-central-1.amazonses.com.

Re: [Django] #33405: Documentation for template filter 'escapejs' is extremely unclear

[Django]

#33405: Documentation for template filter 'escapejs' is extremely unclear
-+-
 Reporter:  Jon Ribbens  |Owner:  Jon
 Type:   |  Ribbens
  Cleanup/optimization   |   Status:  closed
Component:  Documentation|  Version:  dev
 Severity:  Normal   |   Resolution:  fixed
 Keywords:   | Triage Stage:  Ready for
 |  checkin
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Mariusz Felisiak ):

 * status:  assigned => closed
 * resolution:   => fixed


Comment:

 In [changeset:"adfb3dfa89b62ee0c838a64d3d480c03dd3ec869" adfb3dfa]:
 {{{
 #!CommitTicketReference repository=""
 revision="adfb3dfa89b62ee0c838a64d3d480c03dd3ec869"
 Fixed #33405, Refs #7177 -- Clarified docs for filter escapejs regarding
 safe and unsafe usages.
 }}}

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/010701891b9b8918-263dff32-f435-4272-aeb7-a9cf8d704c99-00%40eu-central-1.amazonses.com.

Re: [Django] #33405: Documentation for template filter 'escapejs' is extremely unclear

[Django]

#33405: Documentation for template filter 'escapejs' is extremely unclear
-+-
 Reporter:  Jon Ribbens  |Owner:  Jon
 Type:   |  Ribbens
  Cleanup/optimization   |   Status:  assigned
Component:  Documentation|  Version:  dev
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Ready for
 |  checkin
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Mariusz Felisiak):

 * stage:  Accepted => Ready for checkin


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/0107018919eb488a-2c8cd642-15c8-464b-9171-065fe2eb858b-00%40eu-central-1.amazonses.com.

Re: [Django] #33405: Documentation for template filter 'escapejs' is extremely unclear

[Django]

#33405: Documentation for template filter 'escapejs' is extremely unclear
-+-
 Reporter:  Jon Ribbens  |Owner:  Jon
 Type:   |  Ribbens
  Cleanup/optimization   |   Status:  assigned
Component:  Documentation|  Version:  dev
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Jon Ribbens):

 * needs_better_patch:  1 => 0


Comment:

 Note I improved the patch to fix the test failure 15 months ago and it now
 passes.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/01070188368850d9-1d848b97-33d7-4103-b0d3-fe68bea32f14-00%40eu-central-1.amazonses.com.

Re: [Django] #33405: Documentation for template filter 'escapejs' is extremely unclear

[Django]

#33405: Documentation for template filter 'escapejs' is extremely unclear
-+-
 Reporter:  Jon Ribbens  |Owner:  Jon
 Type:   |  Ribbens
  Cleanup/optimization   |   Status:  assigned
Component:  Documentation|  Version:  dev
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  1
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Carlton Gibson):

 * needs_better_patch:  0 => 1


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.3c9deeb36fd212907bb8e946613b621f%40djangoproject.com.

Re: [Django] #33405: Documentation for template filter 'escapejs' is extremely unclear

[Django]

#33405: Documentation for template filter 'escapejs' is extremely unclear
-+-
 Reporter:  Jon Ribbens  |Owner:  Jon
 Type:   |  Ribbens
  Cleanup/optimization   |   Status:  assigned
Component:  Documentation|  Version:  dev
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Jon Ribbens):

 * owner:  nobody => Jon Ribbens
 * status:  new => assigned
 * has_patch:  0 => 1
 * version:  4.0 => dev


Comment:

 Pull Request available at https://github.com/django/django/pull/15430

 Note the PR "fails" the docs check as the spelling checker doesn't
 recognise the valid word "backtick".

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.3968cfbe4fc49c7511046e976a9fb4a6%40djangoproject.com.

Re: [Django] #33405: Documentation for template filter 'escapejs' is extremely unclear

[Django]

#33405: Documentation for template filter 'escapejs' is extremely unclear
--+
 Reporter:  Jon Ribbens   |Owner:  nobody
 Type:  Cleanup/optimization  |   Status:  new
Component:  Documentation |  Version:  4.0
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Accepted
Has patch:  0 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+
Changes (by Carlton Gibson):

 * type:  Bug => Cleanup/optimization
 * stage:  Unreviewed => Accepted


Comment:

 Not sure on the exact wording, but if you'd like to make a PR, please do.
 Accepting on that assumption.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.0cd5d28b41c413fe8cd14b3ca7a2a0c3%40djangoproject.com.

Re: [Django] #33405: Documentation for template filter 'escapejs' is extremely unclear

[Django]

#33405: Documentation for template filter 'escapejs' is extremely unclear
---+--
 Reporter:  Jon Ribbens|Owner:  nobody
 Type:  Bug|   Status:  new
Component:  Documentation  |  Version:  4.0
 Severity:  Normal |   Resolution:
 Keywords: | Triage Stage:  Unreviewed
Has patch:  0  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  0
Easy pickings:  0  |UI/UX:  0
---+--
Changes (by Jon Ribbens):

 * cc: Jon Ribbens (added)


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.a335ec3cb76ded8ab78adf898acbb712%40djangoproject.com.

Re: [Django] #33405: Documentation for template filter 'escapejs' is extremely unclear

[Django]

#33405: Documentation for template filter 'escapejs' is extremely unclear
---+--
 Reporter:  Jon Ribbens|Owner:  nobody
 Type:  Bug|   Status:  new
Component:  Documentation  |  Version:  4.0
 Severity:  Normal |   Resolution:
 Keywords: | Triage Stage:  Unreviewed
Has patch:  0  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  0
Easy pickings:  0  |UI/UX:  0
---+--
Changes (by Jon Ribbens):

 * status:  closed => new
 * resolution:  invalid =>


Comment:

 This is not a support request, I am reporting a bug in the documentation,
 which is so garbled as to be essentially completely meaningless and to
 render a long-standing and potentially-useful Django feature useless.

 Your reference to #29055 is helpful as it helped me understand the
 documentation is even worse than I thought it was - when it says
 "JavaScript template literals" this doesn't mean "a JavaScript literal
 created from a Django template" which would be the obvious interpretation
 given that is precisely what this feature is for, it means the relatively-
 recent JavaScript backtick syntax.

 Add that to the fact that the second sentence has two clauses which
 contradict each other, and I cannot understand how you can possibly think
 the current text is "ok" - it's complete gibberish.

 Since you're asking for a concrete proposal I would suggest:

 Escapes characters for use in JavaScript strings. This makes the
 string safe for use in HTML and JavaScript or JSON string literals. Note
 that it does ''not'' make it safe for use in "JavaScript template
 literals" (i.e. the JavaScript backtick syntax).
 For example:
 

Re: [Django] #33405: Documentation for template filter 'escapejs' is extremely unclear

[Django]

#33405: Documentation for template filter 'escapejs' is extremely unclear
---+--
 Reporter:  Jon Ribbens|Owner:  nobody
 Type:  Bug|   Status:  closed
Component:  Documentation  |  Version:  4.0
 Severity:  Normal |   Resolution:  invalid
 Keywords: | Triage Stage:  Unreviewed
Has patch:  0  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  0
Easy pickings:  0  |UI/UX:  0
---+--
Changes (by Carlton Gibson):

 * status:  new => closed
 * resolution:   => invalid


Comment:

 This looks like a usage question really. For which see
 TicketClosingReasons/UseSupportChannels.

 Nonetheless, `escapejs` is used avoid syntax errors when constructing
 Javascript using the DTL.

 Take something like this:

 {{{
 
 function example() {
 query = '{{ my_var | escapejs }}';
 }
 
 }}}

 If `my_var` included a single quote `'`, without the `escapejs` you'd get
 a
 syntax error, since the string would be improperly closed. `escapejs` hex
 encodes the `'` leaving a valid string.

 In addition it encodes various other characters including `<`, and `>`
 which
 makes it look like it's good for security, but it's not. See #29055.

 The source is in `django.utils.html` is you want to see exactly what's
 encoded.

 As I said above, I think the current text is ok **but** happy to look at
 concrete suggestions for improvements to the docs.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.307b4280069ae3392ee5e107bb68be3d%40djangoproject.com.

Re: [Django] #33405: Documentation for template filter 'escapejs' is extremely unclear

[Django]

#33405: Documentation for template filter 'escapejs' is extremely unclear
---+--
 Reporter:  Jon Ribbens|Owner:  nobody
 Type:  Bug|   Status:  new
Component:  Documentation  |  Version:  4.0
 Severity:  Normal |   Resolution:
 Keywords: | Triage Stage:  Unreviewed
Has patch:  0  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  0
Easy pickings:  0  |UI/UX:  0
---+--
Changes (by Jon Ribbens):

 * status:  closed => new
 * resolution:  invalid =>


Comment:

 Reopening this as the comment doesn't address it at all I'm afraid.

 Answering your last question first, generally it's not safe, and you
 shouldn't do this. escapejs is just to put put escape sequences into
 strings.

 What does "put escape sequences into strings" ''mean''? That is precisely
 what I was doing in my example above, which you just said was wrong.

 As far as I can see, actually it is safe. If it isn't, can anyone explain
 why and, more importantly, explain what escapejs ''should'' be used for.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.c88ff6030570c2837efb41c078200dbf%40djangoproject.com.

Re: [Django] #33405: Documentation for template filter 'escapejs' is extremely unclear

[Django]

#33405: Documentation for template filter 'escapejs' is extremely unclear
---+--
 Reporter:  Jon Ribbens|Owner:  nobody
 Type:  Bug|   Status:  closed
Component:  Documentation  |  Version:  4.0
 Severity:  Normal |   Resolution:  invalid
 Keywords: | Triage Stage:  Unreviewed
Has patch:  0  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  0
Easy pickings:  0  |UI/UX:  0
---+--
Changes (by Carlton Gibson):

 * cc: Adam Johnson (added)
 * status:  new => closed
 * resolution:   => invalid


Comment:

 Hi Jon.

 Answering your last question first, generally it's not safe, and you
 shouldn't do this. `escapejs` is just to put put escape sequences into
 strings.

 You want to look into the newer
 [https://docs.djangoproject.com/en/3.2/ref/templates/builtins/#json-script
 json_script] tag.
 [https://adamj.eu/tech/2020/02/18/safely-including-data-for-javascript-
 in-a-django-template/ Adam Johnson has a good post of this topic a while
 back].

 I'm going to close, as I think the text is OK... **but** happy to look at
 concrete suggestions.
 (I also wonder if we might not deprecate `escapejs` as of questionable
 value, but perhaps that needs some discussion...)

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.6ace49456778501254fc9f10a6dc46e1%40djangoproject.com.