On Oct 29, 8:35 am, shabda <[EMAIL PROTECTED]> wrote:
> I need to create a custom filter which displays some data from db
> depending on its data type.
>
> My code is something like,
>
> from django.template.defaultfilters import linebreaks, urlize
>
> def filterxx(data)
> return linebreaks(urlize(data.value))
>
> My data.value is
>
> Asdfghjkl
>
> <script>alert('hole')</script>
>
> This is used in templates, and shows up unescaped, which allows users
> to run arbitrary scripts. What am I doing wrong?
Your filter is internally calling the linebreaks and urlize built-in
filters which end up wrapping that filter's return value into a "safe
string" via django.utils.safestring.mark_safe().
See:
http://docs.djangoproject.com/en/dev/howto/custom-template-tags/#filters-and-auto-escaping
You should escape your data.value explicitly before passing it on to
those functions. The second bullet point in the above document shows
how you would achieve conditional escaping of data.value in your
filter.
-RD
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
