Global Escape

瀏覽次數:85 次
跳到第一則未讀訊息

Spock

未讀,
2006年6月9日 上午9:03:132006/6/9
收件者:Django users
Hello.
I've application where most of data is fetched from database.
Those data are inserted by people without "trust", so in every template

I'm using |escape filter ...so a question is :

Is there is some method to enable global escape filter ? :)

Simon Willison

未讀,
2006年6月9日 上午9:35:012006/6/9
收件者:django...@googlegroups.com

I've been thinking about this recently, and I've come to the
conclusion that we might have missed a trick by not making ALL
replacement variables escaped by default (and including a var|raw
filter for the times when you don't want stuff to be escaped). It's
probably too late to change this now though.

One solution is to write your own custom Context class and use that.
The following code is unteste:

from django.template.context import Context
from django.utils.html import escape

class EscapedContext(Context):
def __getitem__(self, key):
value = super(Context, self)[key]
return escape(value)

You would also need to add your own 'unescape' custom template filter
that reverses the effects of escape for cases where you needed to do
that. Maybe unescape would be a useful addition to the default set of
template tags...

Cheers,

Simon

Malcolm Tredinnick

未讀,
2006年6月9日 晚上9:21:332006/6/9
收件者:django...@googlegroups.com
On Fri, 2006-06-09 at 14:35 +0100, Simon Willison wrote:
> On 9 Jun 2006, at 14:03, Spock wrote:
> > I've application where most of data is fetched from database.
> > Those data are inserted by people without "trust", so in every
> > template
> >
> > I'm using |escape filter ...so a question is :
> >
> > Is there is some method to enable global escape filter ? :)
>
> I've been thinking about this recently, and I've come to the
> conclusion that we might have missed a trick by not making ALL
> replacement variables escaped by default (and including a var|raw
> filter for the times when you don't want stuff to be escaped). It's
> probably too late to change this now though.

I thought we'd kind of reached consensus this (always escape) was a good
idea last time this came up. But then it slipped into the "too hard for
now" basket.

Anyway, Simon no doubt remembers the arguments (since he was involved),
but for others wanting to see past discussions, here are two threads
that provide some background of ideas...

http://groups.google.com/group/django-users/browse_frm/thread/13cf8218d3a18aad/f4648b081c90885a?q=escaping+html&rnum=1#f4648b081c90885a

http://groups.google.com/group/django-developers/browse_frm/thread/e448bbdd40426915/2ee9766d0d148706?q=html+escaping&rnum=1#2ee9766d0d148706


Regards,
Malcolm

Spock

未讀,
2006年6月12日 下午1:41:532006/6/12
收件者:Django users
This looks promising. I'll try.
IMHO such mode should be set in setings.py.
You should have to choose beetwen "default deny" and "default accept"
Maybe Adrian and rest of core dev will include such feature in next
release with:
DEFAULT_ESCAPE_FILTER=False
for reverse compatibility :)

回覆所有人
回覆作者
轉寄
0 則新訊息