code from database in template <br> -> <br>
115 views
Skip to first unread message
mag_dex
Apr 15, 2009, 6:52:49 AM4/15/09
to Django users
Hey,
I've gotten a following problem. I have stored some pieces of html
code in the database.
If the django renders html code it <br> is changed to <br> ;(
I guess there is easy one to change behaviour of rendering but I can't
find it.
Any ideas?
M.
I've gotten a following problem. I have stored some pieces of html
code in the database.
If the django renders html code it <br> is changed to <br> ;(
I guess there is easy one to change behaviour of rendering but I can't
find it.
Any ideas?
M.
google torp
Apr 15, 2009, 7:15:30 AM4/15/09
to Django users
Hi
There is a page for all the django template tags:
http://docs.djangoproject.com/en/dev/ref/templates/builtins/
Your problem is the auto escape, you can use "|safe" to mark something
safe and it wont be escaped. Doing this for user submitted data is a
bad idea though, so make sure you don't make your site vulnerable for
attacks before use.
~Jakob
There is a page for all the django template tags:
http://docs.djangoproject.com/en/dev/ref/templates/builtins/
Your problem is the auto escape, you can use "|safe" to mark something
safe and it wont be escaped. Doing this for user submitted data is a
bad idea though, so make sure you don't make your site vulnerable for
attacks before use.
~Jakob
mag_dex
Apr 15, 2009, 8:28:46 AM4/15/09
to Django users
Thanks. I've been on that page but I just found
{% autoescape off %}
<tr><td class="mini_th">Description:</td><td>{{ script.desc }}</
td></tr>
{% endautoescape %}
Using 'safe' it goes like:
{% autoescape off %}
<tr><td class="mini_th">Description:</td><td>{{ script.desc |
safe }}</td></tr>
{% endautoescape %}
Data goes from the db (by but some stuff) so there is not risk.
Thanks again.
Wishes,
M.
{% autoescape off %}
<tr><td class="mini_th">Description:</td><td>{{ script.desc }}</
td></tr>
{% endautoescape %}
Using 'safe' it goes like:
{% autoescape off %}
<tr><td class="mini_th">Description:</td><td>{{ script.desc |
safe }}</td></tr>
{% endautoescape %}
Data goes from the db (by but some stuff) so there is not risk.
Thanks again.
Wishes,
M.
mag_dex
Apr 15, 2009, 8:29:50 AM4/15/09
to Django users
sorry:
<tr><td class="mini_th">Description:</td><td>{{ script.desc | safe }}
</td></tr>
no need to put {% autoescape off %} in this second statement.
<tr><td class="mini_th">Description:</td><td>{{ script.desc | safe }}
</td></tr>
google torp
Apr 15, 2009, 8:46:16 AM4/15/09
to Django users
Just wanted to add, the danger is not if the data is coming
from the db, as all the data, more or less will come from the db.
The problem is if the user has made the input that was saved
to the db, like the username. Marking such content with the
safe tag would make it possible for evil minded users to destroy
your site.
~Jakob
from the db, as all the data, more or less will come from the db.
The problem is if the user has made the input that was saved
to the db, like the username. Marking such content with the
safe tag would make it possible for evil minded users to destroy
your site.
~Jakob
Reply all
Reply to author
Forward
0 new messages