mirror of
				https://github.com/django/django.git
				synced 2025-10-25 06:36:07 +00:00 
			
		
		
		
	[1.6.x] Fixed #21722 -- Added a warning for avoiding XSS vulnerabilities when reusing built-in filters.
Thanks Stephen McDonald for the suggestion.
Backport of 07711e9997 from master
			
			
This commit is contained in:
		| @@ -338,6 +338,34 @@ Template filter code falls into one of two situations: | |||||||
|    handle the auto-escaping issues and return a safe string, the |    handle the auto-escaping issues and return a safe string, the | ||||||
|    ``is_safe`` flag won't change anything either way. |    ``is_safe`` flag won't change anything either way. | ||||||
|  |  | ||||||
|  | .. warning:: Avoiding XSS vulnerabilities when reusing built-in filters | ||||||
|  |  | ||||||
|  |     Be careful when reusing Django's built-in filters. You'll need to pass | ||||||
|  |     ``autoescape=True`` to the filter in order to get the proper autoescaping | ||||||
|  |     behavior and avoid a cross-site script vulnerability. | ||||||
|  |  | ||||||
|  |     For example, if you wanted to write a custom filter called | ||||||
|  |     ``urlize_and_linebreaks`` that combined the :tfilter:`urlize` and | ||||||
|  |     :tfilter:`linebreaksbr` filters, the filter would look like:: | ||||||
|  |  | ||||||
|  |         from django.template.defaultfilters import linebreaksbr, urlize | ||||||
|  |  | ||||||
|  |         @register.filter | ||||||
|  |         def urlize_and_linebreaks(text): | ||||||
|  |             return linebreaksbr(urlize(text, autoescape=True), autoescape=True) | ||||||
|  |  | ||||||
|  |     Then: | ||||||
|  |  | ||||||
|  |     .. code-block:: html+django | ||||||
|  |  | ||||||
|  |         {{ comment|urlize_and_linebreaks }} | ||||||
|  |  | ||||||
|  |     would be equivalent to: | ||||||
|  |  | ||||||
|  |     .. code-block:: html+django | ||||||
|  |  | ||||||
|  |         {{ comment|urlize|linebreaksbr }} | ||||||
|  |  | ||||||
| .. _filters-timezones: | .. _filters-timezones: | ||||||
|  |  | ||||||
| Filters and time zones | Filters and time zones | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user