1
0
mirror of https://github.com/django/django.git synced 2025-10-25 22:56:12 +00:00

[1.6.x] Fixed #21722 -- Added a warning for avoiding XSS vulnerabilities when reusing built-in filters.

Thanks Stephen McDonald for the suggestion.

Backport of 07711e9997 from master
This commit is contained in:
Tim Graham
2014-01-02 16:28:56 -05:00
parent 5dcb287060
commit 8841cbbe82

View File

@@ -338,6 +338,34 @@ Template filter code falls into one of two situations:
handle the auto-escaping issues and return a safe string, the
``is_safe`` flag won't change anything either way.
.. warning:: Avoiding XSS vulnerabilities when reusing built-in filters
Be careful when reusing Django's built-in filters. You'll need to pass
``autoescape=True`` to the filter in order to get the proper autoescaping
behavior and avoid a cross-site script vulnerability.
For example, if you wanted to write a custom filter called
``urlize_and_linebreaks`` that combined the :tfilter:`urlize` and
:tfilter:`linebreaksbr` filters, the filter would look like::
from django.template.defaultfilters import linebreaksbr, urlize
@register.filter
def urlize_and_linebreaks(text):
return linebreaksbr(urlize(text, autoescape=True), autoescape=True)
Then:
.. code-block:: html+django
{{ comment|urlize_and_linebreaks }}
would be equivalent to:
.. code-block:: html+django
{{ comment|urlize|linebreaksbr }}
.. _filters-timezones:
Filters and time zones