Fixed #25018 -- Changed simple_tag to apply conditional_escape() to its output.

This is a security hardening fix to help prevent XSS (and incorrect HTML) for the common use case of simple_tag. Thanks to Tim Graham for the review.
2025-10-31 09:41:08 +00:00 · 2015-06-15 11:17:09 +01:00
parent 9ed82154bd
commit aef2a0ec59
6 changed files with 110 additions and 3 deletions
--- a/django/template/library.py
+++ b/django/template/library.py
@@ -4,6 +4,7 @@ from importlib import import_module

 from django.utils import six
 from django.utils.deprecation import RemovedInDjango20Warning
+from django.utils.html import conditional_escape
 from django.utils.inspect import getargspec
 from django.utils.itercompat import is_iterable

@@ -201,6 +202,8 @@ class SimpleNode(TagHelperNode):
        if self.target_var is not None:
            context[self.target_var] = output
            return ''
+        if context.autoescape:
+            output = conditional_escape(output)
        return output