Autoescape of & char ignoring safe filter

[Marc Serra]

Hi, i'm trying to output raw html content form the database on the website, so i use the safe filter on the variable. All html code is displayed correctly except the ampersand that are escaped ignoring the safe filter, or It seems to me.

I also tried to use a templatetag  with the mark_safe function with the same outcome.

Here an example:

Source in database:

<object width="560" height="340"><param name="movie" value="http://www.youtube.com/v/Uq8zzBW9hlc&hl=en&fs=1&hd=1"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/Uq8zzBW9hlc&hl=en&fs=1&hd=1" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="560" height="340"></embed></object>

On template with |safe filter (notice "&" replacement with "&amp;"):

<object height="340" width="560"><param name="movie" value="http://www.youtube.com/v/Uq8zzBW9hlc&amp;hl=en&amp;fs=1&amp;hd=1"><param name="allowFullScreen" value="true"><param name="allowscriptaccess" value="always"><embed src="http://www.youtube.com/v/Uq8zzBW9hlc&amp;hl=en&amp;fs=1&amp;hd=1" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" height="340" width="560"></object>

You know what can be the reason to this behaviour and how to solve it?

Thank you,
Marc Serra

[Laxmikant Gurnalkar]

Hi,
I have not used sace  ever. But use escape this works for me.
https://docs.djangoproject.com/en/1.0/ref/templates/builtins/#escape

Cheers
Laxmikant G.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/M3FV3yY7JnoJ.
To post to this group, send email to django...@googlegroups.com.
To unsubscribe from this group, send email to django-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.

--

GlxGuru

[Laxmikant Gurnalkar]

>>>I have not used safe  ever. But use escape this works for me.

--

GlxGuru

[Marc Serra]

Laxmikant I think you didn't understand my point. I don't want it escaped, and escape marks it for escaping. I want to output the contents of database RAW, without escaping. Safe filter does this but I found the weird exception of &, what messes with urls with parameters on them.

Regards,
Marc Serra

El dimecres 3 d’octubre de 2012 6:25:38 UTC+2, Laxmikant Gurnalkar va escriure:

[Russell Keith-Magee]

On Thu, Oct 4, 2012 at 1:17 AM, Marc Serra <mad...@gmail.com> wrote:
> Laxmikant I think you didn't understand my point. I don't want it escaped,
> and escape marks it for escaping. I want to output the contents of database
> RAW, without escaping. Safe filter does this but I found the weird exception
> of &, what messes with urls with parameters on them.

Are you *absolutely* certain that the database contains & and not
&amp;? How are you verifying that this is what the database contains?
The reason I ask is that |safe is essentially a call to Django that
says "don't do anything", so I don't see how the behaviour you
describe could be caused.

Also - are you sure that there isn't anything else in your pipeline
between the database and your display? If part of the content is being
transformed, it has all the hallmarks of something being double
handled.

Yours,
Russ Magee %-)

[Marc Serra]

I've checked the database contents with sqliteman and the ampersands are ok, not escaped. Also i've checked the value retrieved of the database with a custom template tag and logging the value just before sending it to template, just before sending the data to the template it's correct. Finally checked again with shell and it's showing on console the expected output, all seems ok until the result is processed on the template.

On your second remark, i'm sorry but i'm quite new on django i'm not sure how to check the pipeline process, I'll put here the variables on settings I think can alter the functionality of django:

MIDDLEWARE_CLASSES = (

'django.middleware.common.CommonMiddleware',

'django.contrib.sessions.middleware.SessionMiddleware',

'django.middleware.csrf.CsrfViewMiddleware',

'django.contrib.auth.middleware.AuthenticationMiddleware',

'django.contrib.messages.middleware.MessageMiddleware',

# Uncomment the next line for simple clickjacking protection:

# 'django.middleware.clickjacking.XFrameOptionsMiddleware',

)

TEMPLATE_CONTEXT_PROCESSORS = (

'django.contrib.auth.context_processors.auth',

'django.core.context_processors.i18n',

'django.core.context_processors.request',

'django.core.context_processors.media',

'django.core.context_processors.static',

)

I've tried disabling all TEMPLATE_CONTEXT_PROCESSORS (except auth, needed by admin interface) and MIDDLEWARE_CLASSES with no success.

Can you point me something else I can or should check?

Regards,
Marc Serra


El dijous 4 d’octubre de 2012 1:28:23 UTC+2, Russell Keith-Magee va escriure:

[Peter of the Norse]

I know this is months old, but I've been working on my back log.

First of all, you should be using &amp; in your URLs. They will get unescaped by the browser and show up as & when you click the link.

This is so commonly overlooked that the browser will automatically escape them when loading. Then firebug and webkit inspector will show the source with &amp; even if they aren't in the source. So the followup question is: where are you getting the template results from? Make sure that you're doing "show source" and not just looking at the DOM inspector. I suspect that's what's happening since some closing tags are missing from the template result.

On 10/3/2012 11:17 AM, Marc Serra wrote: