On Wed, Oct 29, 2008 at 8:35 AM, shabda <[EMAIL PROTECTED]> wrote:
>
> I need to create a custom filter which displays some data from db
> depending on its data type.
>
> My code is something like,
>
> from django.template.defaultfilters import linebreaks, urlize
>
> def filterxx(data)
> return linebreaks(urlize(data.value))
>
> My data.value is
>
> Asdfghjkl
>
> <script>alert('hole')</script>
>
> This is used in templates, and shows up unescaped, which allows users
> to run arbitrary scripts. What am I doing wrong?
>
You are calling built-in filters that rely on being told the current
autoescape setting without passing along the current autoescape setting in
effect. I think you want something more like:
def filterxx(data, autoescape=None):
return linebreaks(urlize(data.value, autoescape), autoescape)
filterxx.needs_autoescape = True
Karen
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
