[Django] #26258: Jinja2 rendered templates are not safe by default
Django
---------------------------------+--------------------
Reporter: tsouvarev | Owner: nobody
Type: Bug | Status: new
Component: Template system | Version: 1.9
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 1
Easy pickings: 0 | UI/UX: 0
---------------------------------+--------------------
Here are steps to reproduce:
- have Django 1.9
- make some `simple_tag` that renders Jinja2 template
- output it
Expected result:
- output is unescaped
What happens:
- output is escaped
With Django's templates everything works just fine, since it make
`mark_safe` in NodeList
In pre-1.9 versions it wasn't an issue, because `simple_tag` wasn't auto-
escaped by default
--
Ticket URL: <https://code.djangoproject.com/ticket/26258>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: tsouvarev | Owner: nobody
Type: Bug | Status: new
Component: Template system | Version: 1.9
Keywords: | Triage Stage: Unreviewed
Has patch: 1 | Easy pickings: 0
UI/UX: 0 |
Changes (by tsouvarev):
* Attachment "patch.diff" added.
Django
Reporter: tsouvarev | Owner: nobody
Type: Bug | Status: new
Component: Template system | Version: 1.9
Keywords: | Triage Stage: Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by timgraham):
* needs_better_patch: => 0
* needs_tests: => 0
* needs_docs: => 0
Comment:
Is there a problem if you follow
[https://docs.djangoproject.com/en/stable/releases/1.9/#simple-tag-now-
wraps-tag-output-in-conditional-escape the rules in the 1.9 release notes]
for marking the output of your template tag as safe?
I didn't look in detail at the consequences of your proposed patch, but
from a quick glance, I don't see the rationale for considering all
rendering of `Template` safe. A regression test to demonstrate the fix
would also be required.
--
Ticket URL: <https://code.djangoproject.com/ticket/26258#comment:1>
Django
Reporter: tsouvarev | Owner: nobody
Type: Bug | Status: new
Component: Template system | Version: 1.9
Keywords: | Triage Stage: Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Comment (by tsouvarev):
Replying to [comment:1 timgraham]:
> Is there a problem if you follow
[https://docs.djangoproject.com/en/stable/releases/1.9/#simple-tag-now-
wraps-tag-output-in-conditional-escape the rules in the 1.9 release notes]
for marking the output of your template tag as safe?
Thing is, problem templatetag is `admin_list_filter` inside Django's
admin. We have list filter that renders via Jinja2 template, so this issue
raises
> I didn't look in detail at the consequences of your proposed patch, but
from a quick glance, I don't see the rationale for considering all
rendering of `Template` safe. A regression test to demonstrate the fix
would also be required.
Django's considering it's own templates as safe, so why not consider
Jinja's templates safe as well? But, of course, you may come with better
solution.
--
Ticket URL: <https://code.djangoproject.com/ticket/26258#comment:2>
Django
Reporter: tsouvarev | Owner: nobody
Type: Bug | Status: new
Component: Template system | Version: 1.9
Keywords: | Triage Stage: Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Comment (by timgraham):
Do you have time to put together a sample project I could download to
easily reproduce the issue? That will help me investigate and try to find
the proper solution.
--
Ticket URL: <https://code.djangoproject.com/ticket/26258#comment:3>
Django
Reporter: tsouvarev | Owner: nobody
Type: Bug | Status: new
Component: Template system | Version: 1.9
Keywords: | Triage Stage: Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Comment (by tsouvarev):
Replying to [comment:3 timgraham]:
> Do you have time to put together a sample project I could download to
easily reproduce the issue? That will help me investigate and try to find
the proper solution.
Ok, I will try to do that until the next week
--
Ticket URL: <https://code.djangoproject.com/ticket/26258#comment:4>
Django
Reporter: tsouvarev | Owner: nobody
Type: Bug | Status: new
Component: Template system | Version: 1.9
Keywords: | Triage Stage: Someday/Maybe
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Changes (by timgraham):
* has_patch: 1 => 0
* stage: Unreviewed => Someday/Maybe
--
Ticket URL: <https://code.djangoproject.com/ticket/26258#comment:5>
Django
Reporter: tsouvarev | Owner: nobody
Type: Bug | Status: new
Component: Template system | Version: 1.9
Keywords: | Triage Stage: Someday/Maybe
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Comment (by tsouvarev):
https://github.com/tsouvarev/test_jinja_escaped_twice
I've added `JinjaListFilter` thats renderes with Jinja template (which is
just `admin/filter.html` translated into Jinja)
In Book admin section at the right side you will see escaped HTML code
--
Ticket URL: <https://code.djangoproject.com/ticket/26258#comment:6>
Django
Reporter: tsouvarev | Owner: nobody
Type: Bug | Status: new
Component: Template system | Version: 1.9
Keywords: | Triage Stage: Someday/Maybe
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Changes (by tsouvarev):
* Attachment "screenshot-localhost 8000 2016-02-26 11-38-37.png" added.
Django
Reporter: tsouvarev | Owner: nobody
Type: Bug | Status: new
Component: Template system | Version: 1.9
Keywords: | Triage Stage: Someday/Maybe
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Comment (by tsouvarev):
I added some inclusion tags that include Jinja templates - it also not
working at all (see `/test/` view)
--
Ticket URL: <https://code.djangoproject.com/ticket/26258#comment:7>
Django
Reporter: tsouvarev | Owner: nobody
Type: Bug | Status: new
Component: Template system | Version: 1.9
Keywords: | Triage Stage: Someday/Maybe
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Comment (by tsouvarev):
Any feedback?
--
Ticket URL: <https://code.djangoproject.com/ticket/26258#comment:8>
Django
Reporter: tsouvarev | Owner: nobody
Type: Bug | Status: new
Component: Template system | Version: 1.9
Keywords: | Triage Stage: Someday/Maybe
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Comment (by sassanh):
Replying to [comment:3 timgraham]:
> Do you have time to put together a sample project I could download to
easily reproduce the issue? That will help me investigate and try to find
the proper solution.
Is there any workaround for this?
--
Ticket URL: <https://code.djangoproject.com/ticket/26258#comment:9>