Google Groups Home Help | Sign in
Django users
Home
+ new post
Pages
Files
About this group
Join this group
Global Escape
Options
There are currently too many topics in this group that display first. To make this topic appear first, remove this option from another topic.
There was an error processing your request. Please try again.
flag
   4 messages - Collapse all
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
Spock  
View profile
  More options Jun 9 2006, 9:03 am
From: "Spock" <mjurc...@gmail.com>
Date: Fri, 09 Jun 2006 06:03:13 -0700
Local: Fri, Jun 9 2006 9:03 am
Subject: Global Escape
Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author
Hello.
I've application where most of data is fetched from database.
Those data are inserted by people without "trust", so in every template

I'm using |escape filter ...so a question is :

Is there is some method  to enable global escape filter ? :)


    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Simon Willison  
View profile
  More options Jun 9 2006, 9:35 am
From: Simon Willison <swilli...@gmail.com>
Date: Fri, 9 Jun 2006 14:35:01 +0100
Local: Fri, Jun 9 2006 9:35 am
Subject: Re: Global Escape
Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author
On 9 Jun 2006, at 14:03, Spock wrote:

> I've application where most of data is fetched from database.
> Those data are inserted by people without "trust", so in every  
> template

> I'm using |escape filter ...so a question is :

> Is there is some method  to enable global escape filter ? :)

I've been thinking about this recently, and I've come to the  
conclusion that we might have missed a trick by not making ALL  
replacement variables escaped by default (and including a var|raw  
filter for the times when you don't want stuff to be escaped). It's  
probably too late to change this now though.

One solution is to write your own custom Context class and use that.  
The following code is unteste:

from django.template.context import Context
from django.utils.html import escape

class EscapedContext(Context):
     def __getitem__(self, key):
         value = super(Context, self)[key]
         return escape(value)

You would also need to add your own 'unescape' custom template filter  
that reverses the effects of escape for cases where you needed to do  
that. Maybe unescape would be a useful addition to the default set of  
template tags...

Cheers,

Simon


    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Malcolm Tredinnick  
View profile
  More options Jun 9 2006, 9:21 pm
From: Malcolm Tredinnick <malc...@pointy-stick.com>
Date: Sat, 10 Jun 2006 11:21:33 +1000
Local: Fri, Jun 9 2006 9:21 pm
Subject: Re: Global Escape
Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author

On Fri, 2006-06-09 at 14:35 +0100, Simon Willison wrote:
> On 9 Jun 2006, at 14:03, Spock wrote:
> > I've application where most of data is fetched from database.
> > Those data are inserted by people without "trust", so in every  
> > template

> > I'm using |escape filter ...so a question is :

> > Is there is some method  to enable global escape filter ? :)

> I've been thinking about this recently, and I've come to the  
> conclusion that we might have missed a trick by not making ALL  
> replacement variables escaped by default (and including a var|raw  
> filter for the times when you don't want stuff to be escaped). It's  
> probably too late to change this now though.

I thought we'd kind of reached consensus this (always escape) was a good
idea last time this came up. But then it slipped into the "too hard for
now" basket.

Anyway, Simon no doubt remembers the arguments (since he was involved),
but for others wanting to see past discussions, here are two threads
that provide some background of ideas...

http://groups.google.com/group/django-users/browse_frm/thread/13cf821...

http://groups.google.com/group/django-developers/browse_frm/thread/e4...

Regards,
Malcolm


    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Spock  
View profile
  More options Jun 12 2006, 1:41 pm
From: "Spock" <mjurc...@gmail.com>
Date: Mon, 12 Jun 2006 10:41:53 -0700
Local: Mon, Jun 12 2006 1:41 pm
Subject: Re: Global Escape
Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author
This looks promising. I'll try.
IMHO such mode should be set in setings.py.
You should have to choose beetwen "default deny" and "default accept"
Maybe Adrian and rest of core dev will include such feature in next
release with:
DEFAULT_ESCAPE_FILTER=False
for reverse compatibility :)

    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
End of messages
« Back to Discussions « Newer topic     Older topic »

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2008 Google