mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-24 06:06:09 +00:00
Code Issues 32 Releases Wiki Activity

Fixed #25018 -- Changed simple_tag to apply conditional_escape() to its output.

Browse Source 
This is a security hardening fix to help prevent XSS (and incorrect HTML)
for the common use case of simple_tag.

Thanks to Tim Graham for the review.
This commit is contained in:
Luke Plant
2015-06-15 11:17:09 +01:00
committed by Tim Graham
parent 9ed82154bd
commit aef2a0ec59
6 changed files with 110 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
docs/howto/custom-template-tags.txt
View File

@@ -441,6 +441,22 @@ A few things to note about the ``simple_tag`` helper function:
* If the argument was a template variable, our function is passed the
current value of the variable, not the variable itself.
Unlike other tag utilities, ``simple_tag`` passes its output through
:func:`~django.utils.html.conditional_escape` if the template context is in
autoescape mode, to ensure correct HTML and protect you from XSS
vulnerabilities.
If additional escaping is not desired, you will need to use
:func:`~django.utils.safestring.mark_safe` if you are absolutely sure that your
code does not contain XSS vulnerabilities. For building small HTML snippets,
use of :func:`~django.utils.html.format_html` instead of ``mark_safe()`` is
strongly recommended.
.. versionchanged:: 1.9
Auto-escaping for ``simple_tag`` as described in the previous two paragraphs
was added.
If your template tag needs to access the current context, you can use the
``takes_context`` argument when registering your tag::
@@ -792,12 +808,16 @@ Ultimately, this decoupling of compilation and rendering results in an
efficient template system, because a template can render multiple contexts
without having to be parsed multiple times.
.. _tags-auto-escaping:
Auto-escaping considerations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The output from template tags is **not** automatically run through the
auto-escaping filters. However, there are still a couple of things you should
keep in mind when writing a template tag.
auto-escaping filters (with the exception of
:meth:`~django.template.Library.simple_tag` as described above). However, there
are still a couple of things you should keep in mind when writing a template
tag.
If the ``render()`` function of your template stores the result in a context
variable (rather than returning the result in a string), it should take care