[Django] #29791: Engine.render_to_string should honor the autoescape attribute
Django
-------------------------------------------+------------------------
Reporter: Claude Paroz | Owner: nobody
Type: Bug | Status: new
Component: Template system | Version: master
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------------+------------------------
In `Engine.render_to_string`, a `Context` is created without specifying
the engine `autoescape` attribute. So if you create en engine with
`autoescape=False` and then call its `render_to_string()` method, the
result will always be autoescaped. It was probably overlooked in
[19a5f6da329d58653bcda85].
--
Ticket URL: <https://code.djangoproject.com/ticket/29791>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
---------------------------------+------------------------------------
Reporter: Claude Paroz | Owner: nobody
Type: Bug | Status: new
Component: Template system | Version: master
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Graham):
* stage: Unreviewed => Accepted
--
Ticket URL: <https://code.djangoproject.com/ticket/29791#comment:1>
Django
---------------------------------+----------------------------------------
Reporter: Claude Paroz | Owner: Claude Paroz
Type: Bug | Status: assigned
Component: Template system | Version: master
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Claude Paroz):
* status: new => assigned
* owner: nobody => Claude Paroz
Comment:
I'd like to reserve this for an event I'll attend on Oct 4th.
--
Ticket URL: <https://code.djangoproject.com/ticket/29791#comment:2>
Django
---------------------------------+----------------------------------------
Reporter: Claude Paroz | Owner: Claude Paroz
Type: Bug | Status: assigned
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Nathan Gaberel):
I'd like to give this a try. Is it OK to reassign to myself since there's
been no update in 6 months?
--
Ticket URL: <https://code.djangoproject.com/ticket/29791#comment:3>
Django
---------------------------------+----------------------------------------
Reporter: Claude Paroz | Owner: Claude Paroz
Type: Bug | Status: assigned
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Simon Charette):
* cc: Claude Paroz (added)
Comment:
I think it's safe to re-assign yourself the ticket to you at this point.
Are you still planing on working on this in the near future Claude?
--
Ticket URL: <https://code.djangoproject.com/ticket/29791#comment:4>
Django
-------------------------------------+-------------------------------------
Reporter: Claude Paroz | Owner: Nathan
| Gaberel
Type: Bug | Status: assigned
Component: Template system | Version: master
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Nathan Gaberel):
* owner: Claude Paroz => Nathan Gaberel
* has_patch: 0 => 1
Comment:
I went ahead and wrote a patch for it, hopefully Claude won't mind. :)
[https://github.com/django/django/pull/11119 PR]
--
Ticket URL: <https://code.djangoproject.com/ticket/29791#comment:5>
Django
-------------------------------------+-------------------------------------
Reporter: Claude Paroz | Owner: Nathan
| Gaberel
Component: Template system | Version: master
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Graham <timograham@…>):
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"624573726aa5982d1c73aac85fb27aea3b3b23b7" 62457372]:
{{{
#!CommitTicketReference repository=""
revision="624573726aa5982d1c73aac85fb27aea3b3b23b7"
Fixed #29791 -- Made Engine.render_to_string() honor autoescape.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/29791#comment:6>
Django
-------------------------------------+-------------------------------------
Reporter: Claude Paroz | Owner: Nathan
| Gaberel
Type: Bug | Status: closed
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Malik A. Rumi):
* Attachment "autoescape and safe ignored 2021-08-31 16-15-39.png" added.
autoescape off and safe filter both ignored, html entities applied
Django
-------------------------------------+-------------------------------------
Reporter: Claude Paroz | Owner: Nathan
| Gaberel
Type: Bug | Status: closed
Component: Template system | Version: dev
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Malik A. Rumi):
* Attachment "still escaped 2021-08-31 20-11-56.png" added.
get_absolute_url shown as removed in chrome dev tools. full name with
domain does show.
Django
-------------------------------------+-------------------------------------
Reporter: Claude Paroz | Owner: Nathan
| Gaberel
Type: Bug | Status: closed
Component: Template system | Version: dev
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Malik A. Rumi):
* Attachment "library.html still escaped after restart and turning off in
PyCharm actions 2021-08-31 20-06-12.png" added.
link destination in bottom left of screen shows html entities escaping my
code
Django
-------------------------------------+-------------------------------------
Reporter: Claude Paroz | Owner: Nathan
| Gaberel
Type: Bug | Status: closed
Component: Template system | Version: dev
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Malik A. Rumi):
I came here because I cannot get autoescape to turn off. First I put it in
my template, surrounding the links I wanted to work, but it did not. I
looked around and saw that I could control it the same way template
inheritance works, so I went to my base html template and put the
autoescape tags there. It still had no effect. Then I rebooted, hoping
that would make a difference. It did not.
I do not understand how this patch works. Given that at line 20 of
engine.py, the __init__ has
{{{
autoescape = True,
}}}
what are
{{{
self.autoescape=autoescape [line 44]
}}}
and
{{{
autoescape=self.autoescape [line 163]
}}}
actually doing? It just looks like a circular assignment to me.
Further, I don’t see how this is connected to template tags. I see no
reference to tags in any of this code. Perhaps it is somewhere else, and
happens magically, but regardless, I don’t see it.
Finally, I do not understand the test you ran.
{{{
self.assertEqual(
engine.render_to_string('test_context.html', {'obj':
'<script>'}),
'obj:<script>\n',
)
}}}
It looks to me like all you are doing here is removing the curly braces
from a dict, and adding a newline. What has that got to do with
autoescaping html? The angle brackets in your test object are still there.
In my templates, all that html is removed in favor of html entities - as
you can see from the screen shots I attached.. That means the links don't
work, don’t display, and give me repeated NoReverseMatch errors even when
the code Django tried was correct.
I would ask that you re-open this ticket and make the autoescape tag work
as advertised.
--
Ticket URL: <https://code.djangoproject.com/ticket/29791#comment:7>