On Sat, 2008-07-12 at 07:03 -0700, commander_coder wrote:
> I'm trying to write some of my first custom Django widgets, fields,
> and forms. I'm having some trouble making out what the source code
> does.
>
> I have radio buttons that end in html something like this.
> string
> Here "key" and "string" come from the db and could be non-ascii, or
> any string at all.
If they come from the database they can only be unicode. But I guess
you're really meaning the non-ASCII bit is important. Actually, it
isn't. What's important here is that any HTML-sensitive characters are
escaped appropriately. This means that inside attribute values (the
'...' bit), for example, any single quote character would need to be
escaped.
Django's HTML escaping in fact escapes (converts to HTML entities) all
five potentially "dangerous" HTML entities all the time: single quote,
double quote, ampersand, left and right angle bracket.
> Does the encoding and escaping differ for the two
> instances of "string"? For instance, what if I set
> string=u"this is a quote: '\"' " ?
> Are both just encoded as utf-8 and then django.utils.html.escape() is
> done?
I think you jumped a step or three there. There are two types of "string
values" that you can pass to a template. Raw strings, which undergo the
automatic escaping, and "safe strings". The automatic escaping converts
the five special characters I mentioned earlier to their HTML
equivalents. Always.
Safe strings (those that have been passed through a call to mark_safe(),
for example) have no processing applied to them. Ever.
You'll notice that a lot of Django's newforms widgets call mark_safe()
in their render() method. This is because they are returning strings
that should not be escaped when rendered in the template. The HTML
characters they are returning must be interpreted by the browser as
HTML.
This does mean, however, that if you are including data you pulled out
the database, you are responsible for escaping that data before you put
it into the HTML string. Have a look at
django.newforms.widgets.Select.render() for an example of this in
practice. Certain values are escaped (the calls to escape() and
conditional_escape()) before being included in a string that is
ultimately marked as safe with mark_safe().
> My real question is: to what extend does Django handle this? I made a
> widget MultipleRadioButtons to lay out my radio buttons, made a field
> PickField to clean, etc., and and I put that field in a form
> PickForm. When I have a context with a key of 'key' and I feed it to
> PickForm, when I am in PickField will "string" come to me escaped or
> unescaped?
What happens when you try it? Your computer won't catch on fire when you
make a mistake, so experimentation is a good way to learn. :-)
> Finally, any ideas where in the source this is done?
Depends what "this" is. Autoescaping is done in the render() method of
the Template() class -- which often dispatches the work to other
methods. Marking strings as "the string should not be automatically
escaped" is done as close to the source as possible. That is, as soon as
we know the string should be marked as safe, we do so. Mostly this is in
the render() method of a newforms widget in that case.
Regards,
Malcolm
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~--~~~~--~~--~--~---