Migrating into Django 1.9; question about autoescape

42 views
Skip to first unread message

Bill Torcaso

unread,
Feb 13, 2018, 11:54:09 AM2/13/18
to Django users

Hello all,

I have the task of migrating a very old website from Django 1.7 to either Django 1.11 or 2.0, depending on the effort.

My plan is to go from 1.7 --> 1.8 --> 1.9 -->1.10 --> 1.11, adapting the codebase as I go.  It's been easy enough until I arrive at 1.9, and the change in template-rendering in which "autoescape" defaults to "on".

Now a lot of my payload is arriving at the browser with my HTML tags escaped.  For example,

    <button>       gets rendered as        &lt;button&gt;

I have no argument with the autoescape-on default setting.  But I am unsure how to proceed, and how large the effort will be.  As background, I am a seasoned back-end programmer and a lightweight in HTML and template issues.

I see these alternatives.  Are there any others?

  1. Get to the Template Engine object and set its autoescape attribute to "off".  This loses the protection that autoescape-on provides, restores the Django 1.8 behavior, and let me proceed with the smallest amount of effort.

    Is this the template engine I need?  "    django.core.context_processors.request"  And how do I get to the object?

  2. Visit all of my HTML files and put "{% autoescape off %}" everywhere.

    I put "{% autoescape off %}" in my base.html, and it partially solved the problem.  But it did not get everything.

    This is a medium amount of effort, and if I make a mistake the users will have a bad experience.

  3. Visit all of my code and all of my templates, carefully converting into the world of autoescape-on.
Thanks in advance,

  ---  Bill Torcaso

Matthew Pava

unread,
Feb 13, 2018, 12:01:34 PM2/13/18
to django...@googlegroups.com

At first, I would do your step 1.  I would check for any other errors in Django 1.8, and then proceed with updating to 1.9 -> 1.10 -> 1.11 -> 2.0.  You are probably going to find other issues that need to be resolved in those upgrades.  Ultimately, you will probably have to do step 3.  I wouldn’t do step 2 since you’ll be updating all of your templates.  If you are going to update all your templates, you might as well just do step 3.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/ada6d206-7daa-4c9f-a124-dab988909093%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Daniel Roseman

unread,
Feb 13, 2018, 5:06:48 PM2/13/18
to Django users
autoescape has defaulted to on since before Django 1.0; it was a massive change at the time.

The only change in escaping behaviour in 1.9 was around the output of simple tags, see https://docs.djangoproject.com/en/2.0/releases/1.9/#simple-tag-now-wraps-tag-output-in-conditional-escape - this is a very minor change which can be easily fixed within the tags themselves.
--
DR.

Peter of the Norse

unread,
Mar 11, 2018, 9:45:22 PM3/11/18
to 'Haven McConnell' via Django users
This seems odd, because autoescaping has been on since almost the beginning.  https://web.archive.org/web/20080826081214/http://docs.djangoproject.com:80/en/dev/topics/templates/#id2  What actually changed with 1.9?
Peter of the Norse



Reply all
Reply to author
Forward
0 new messages