From 9219741ee77b59227b8011243488d0a7bfee778f Mon Sep 17 00:00:00 2001 From: Russell Keith-Magee Date: Fri, 3 Jul 2009 06:12:50 +0000 Subject: [PATCH] [1.0.X] Fixed #11413 -- Added notes on the cycle and firstof tag detailing that variables output by those tags will not be escaped by default. Thanks to krystal for the report and draft patch. Merge of r11163 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.0.X@11166 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- django/template/defaulttags.py | 14 ++++++++++---- docs/ref/templates/builtins.txt | 27 ++++++++++++++++++++++----- 2 files changed, 32 insertions(+), 9 deletions(-) diff --git a/django/template/defaulttags.py b/django/template/defaulttags.py index e9caef52e3..2ea3e00789 100644 --- a/django/template/defaulttags.py +++ b/django/template/defaulttags.py @@ -562,7 +562,7 @@ do_filter = register.tag("filter", do_filter) #@register.tag def firstof(parser, token): """ - Outputs the first variable passed that is not False. + Outputs the first variable passed that is not False, without escaping. Outputs nothing if all the passed variables are False. @@ -573,11 +573,11 @@ def firstof(parser, token): This is equivalent to:: {% if var1 %} - {{ var1 }} + {{ var1|safe }} {% else %}{% if var2 %} - {{ var2 }} + {{ var2|safe }} {% else %}{% if var3 %} - {{ var3 }} + {{ var3|safe }} {% endif %}{% endif %}{% endif %} but obviously much cleaner! @@ -587,6 +587,12 @@ def firstof(parser, token): {% firstof var1 var2 var3 "fallback value" %} + If you want to escape the output, use a filter tag:: + + {% filter force_escape %} + {% firstof var1 var2 var3 "fallback value" %} + {% endfilter %} + """ bits = token.split_contents()[1:] if len(bits) < 1: diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt index 11abc77eb9..67b66ba993 100644 --- a/docs/ref/templates/builtins.txt +++ b/docs/ref/templates/builtins.txt @@ -101,6 +101,14 @@ You can use any number of values in a ``{% cycle %}`` tag, separated by spaces. Values enclosed in single (``'``) or double quotes (``"``) are treated as string literals, while values without quotes are treated as template variables. +Note that the variables included in the cycle will not be escaped. This is +because template tags do not escape their content. If you want to escape the +variables in the cycle, you must do so explicitly:: + + {% filter force_escape %} + {% cycle var1 var2 var3 %} + {% endfilter %} + For backwards compatibility, the ``{% cycle %}`` tag supports the much inferior old syntax from previous Django versions. You shouldn't use this in any new projects, but for the sake of the people who are still using it, here's what it @@ -160,8 +168,9 @@ Sample usage:: firstof ~~~~~~~ -Outputs the first variable passed that is not False. Outputs nothing if all the -passed variables are False. +Outputs the first variable passed that is not False, without escaping. + +Outputs nothing if all the passed variables are False. Sample usage:: @@ -170,11 +179,11 @@ Sample usage:: This is equivalent to:: {% if var1 %} - {{ var1 }} + {{ var1|safe }} {% else %}{% if var2 %} - {{ var2 }} + {{ var2|safe }} {% else %}{% if var3 %} - {{ var3 }} + {{ var3|safe }} {% endif %}{% endif %}{% endif %} You can also use a literal string as a fallback value in case all @@ -182,6 +191,14 @@ passed variables are False:: {% firstof var1 var2 var3 "fallback value" %} +Note that the variables included in the firstof tag will not be escaped. This +is because template tags do not escape their content. If you want to escape +the variables in the firstof tag, you must do so explicitly:: + + {% filter force_escape %} + {% firstof var1 var2 var3 "fallback value" %} + {% endfilter %} + .. templatetag:: for for