On 03/05/12 17:49, Voulnet wrote: > The document you linked says it doesn't make it safe to use, but rather > helps in fixing syntax errors. > > " escapejs > > Escapes characters for use in JavaScript strings. This does not make the > string safe for use in HTML, but does protect you from syntax errors > when using templates to generate JavaScript/JSON."
This means that it is not safe for use *in HTML*. It does guarantee that all the data ends up as a single javascript string literal, but that javascript string will still need HTML escaping if you are planning on inserting it in the DOM. This needs to be done using a javascript escape function (not provided). We've looked at custom escape mechanisms in the past. There are big difficulties due to the fact that builtin filters only work correctly with the context of HTML escaping. Some relevant previous discussions: http://goo.gl/XZ7Pt http://goo.gl/T8tkx Luke -- OSBORN'S LAW Variables won't, constants aren't. Luke Plant || http://lukeplant.me.uk/ -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
