Django escapes a string partially

21 views
Skip to first unread message

Ron Moran

unread,
Jan 22, 2018, 11:02:30 AM1/22/18
to Django users
Hi there!

I have a problem with escaping an error.
I have this unicode in python(2.7) which isn't escaped well in a span element:
u"'NoneType' object has no attribute 'rfind'"
The template is defined as follows:
<span id="status_{{ v.vid }}" {% if v.should_display_error_popover %}
      data-content={{ v.error_msg }} data-trigger="hover" rel="popover"
      data-original-title="Error Title" {% endif %}
      class="label extra-label label-pill label-{{ v.show_class | safe }}">
{{ v.get_human_status }}</span>

where v.error_msg is the string above. It should be noted that all other attributes works just fine

I wrapped the template in 
{% autoescape on %}
...template content...
{% endautoescape %}

Then I tried using the escape/force_escape tag on the problematic string:
{{ v.error_msg | force_escape }}

Nothing works, the output is only escaped once:
data-content="'NoneType'" object has not attribute &#39;rfind&#39;
Which causes the resulting popover to show only with the message 'NoneType'.
What am I doing wrong? Why isn't the string properly escaped?

I'm using Djagno 1.5.11, but this syntax was defined well before version 1.5.11, so I don't think it's a version issue.
It's a minor issue but it's driving me mad.

Thanks,
Ron

Daniel Roseman

unread,
Jan 22, 2018, 11:16:27 AM1/22/18
to Django users
Firstly, you **must** upgrade; Django 1.5 is seven major versions old and totally insecure. 

For your actual problem, you need to wrap your template variable in quotes:
    data-content="{{ v.error_msg }}"
--
DR.

Julio Biason

unread,
Jan 22, 2018, 11:17:59 AM1/22/18
to django...@googlegroups.com
Hi,

You should wrap your  `data-content={{ v.error_msg }}` in quotes, like this: `data-content="{{ v.error_msg }}"`.

Otherwise you'll generate the template as `data-content='NoneType' object has not attribute "rfind"`, which is a valid HTML (data-content will have the string 'NoneType' and the node will have a bunch of tags that it doesn't know what to do with it, so they just sit there: "object", "has", "not", "attribute" and ""rfind"".)

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/94b82a29-4036-48eb-b339-e3068bac5e0d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--
Julio Biason, Sofware Engineer
AZION  |  Deliver. Accelerate. Protect.
Office: +55 51 3083 8101  |  Mobile: +55 51 99907 0554
Reply all
Reply to author
Forward
0 new messages