So if these built in filters are marking my strings safe, inspite of
unsafe data being passed in, should they not handle escaping as well?
Rajesh Dhawan wrote:
> On Oct 29, 8:35 am, shabda <[EMAIL PROTECTED]> wrote:
> > I need to create a custom filter which displays some data from db
> > depending on its data type.
> >
> > My code is something like,
> >
> > from django.template.defaultfilters import linebreaks, urlize
> >
> > def filterxx(data)
> > return linebreaks(urlize(data.value))
> >
> > My data.value is
> >
> > Asdfghjkl
> >
> > <script>alert('hole')</script>
> >
> > This is used in templates, and shows up unescaped, which allows users
> > to run arbitrary scripts. What am I doing wrong?
>
> Your filter is internally calling the linebreaks and urlize built-in
> filters which end up wrapping that filter's return value into a "safe
> string" via django.utils.safestring.mark_safe().
>
> See:
> http://docs.djangoproject.com/en/dev/howto/custom-template-tags/#filters-and-auto-escaping
>
> You should escape your data.value explicitly before passing it on to
> those functions. The second bullet point in the above document shows
> how you would achieve conditional escaping of data.value in your
> filter.
>
> -RD
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
