{% block title %}My amazing site{% endblock %}

`` tags. Some filters take arguments. A filter argument looks like this: ``{{ bio|truncatewords:30 }}``. This will display the first 30 words of the ``bio`` variable. Filter arguments that contain spaces must be quoted; for example, to join a list with commas and spaces you'd use ``{{ list|join:", " }}``. Django provides about sixty built-in template filters. You can read all about them in the :ref:`built-in filter reference `. To give you a taste of what's available, here are some of the more commonly used template filters: :tfilter:`default` If a variable is false or empty, use given default. Otherwise, use the value of the variable. For example: .. code-block:: html+django {{ value|default:"nothing" }} If ``value`` isn't provided or is empty, the above will display "``nothing``". :tfilter:`length` Returns the length of the value. This works for both strings and lists. For example: .. code-block:: html+django {{ value|length }} If ``value`` is ``['a', 'b', 'c', 'd']``, the output will be ``4``. :tfilter:`filesizeformat` Formats the value like a "human-readable" file size (i.e. ``'13 KB'``, ``'4.1 MB'``, ``'102 bytes'``, etc.). For example: .. code-block:: html+django {{ value|filesizeformat }} If ``value`` is 123456789, the output would be ``117.7 MB``. Again, these are just a few examples; see the :ref:`built-in filter reference ` for the complete list. You can also create your own custom template filters; see :doc:`/howto/custom-template-tags`. .. seealso:: Django's admin interface can include a complete reference of all template tags and filters available for a given site. See :doc:`/ref/contrib/admin/admindocs`. Tags ==== Tags look like this: ``{% tag %}``. Tags are more complex than variables: Some create text in the output, some control flow by performing loops or logic, and some load external information into the template to be used by later variables. Some tags require beginning and ending tags (i.e. ``{% tag %} ... tag contents ... {% endtag %}``). Django ships with about two dozen built-in template tags. You can read all about them in the :ref:`built-in tag reference `. To give you a taste of what's available, here are some of the more commonly used tags: :ttag:`for` Loop over each item in an array. For example, to display a list of athletes provided in ``athlete_list``: .. code-block:: html+django

{% for athlete in athlete_list %}

{% endfor %}

` for the complete list. You can also create your own custom template tags; see :doc:`/howto/custom-template-tags`. .. seealso:: Django's admin interface can include a complete reference of all template tags and filters available for a given site. See :doc:`/ref/contrib/admin/admindocs`. .. _template-comments: Comments ======== To comment-out part of a line in a template, use the comment syntax: ``{# #}``. For example, this template would render as ``'hello'``: .. code-block:: html+django {# greeting #}hello A comment can contain any template code, invalid or not. For example: .. code-block:: html+django {# {% if foo %}bar{% else %} #} This syntax can only be used for single-line comments (no newlines are permitted between the ``{#`` and ``#}`` delimiters). If you need to comment out a multiline portion of the template, see the :ttag:`comment` tag. .. _template-inheritance: Template inheritance ==================== The most powerful -- and thus the most complex -- part of Django's template engine is template inheritance. Template inheritance allows you to build a base "skeleton" template that contains all the common elements of your site and defines **blocks** that child templates can override. Let's look at template inheritance by starting with an example: .. code-block:: html+django {% block title %}My amazing site{% endblock %}

{% block content %}{% endblock %}

This template, which we'll call ``base.html``, defines an HTML skeleton document that you might use for a two-column page. It's the job of "child" templates to fill the empty blocks with content. In this example, the :ttag:`block` tag defines three blocks that child templates can fill in. All the :ttag:`block` tag does is to tell the template engine that a child template may override those portions of the template. A child template might look like this: .. code-block:: html+django {% extends "base.html" %} {% block title %}My amazing blog{% endblock %} {% block content %} {% for entry in blog_entries %}

{% endfor %} {% endblock %} The :ttag:`extends` tag is the key here. It tells the template engine that this template "extends" another template. When the template system evaluates this template, first it locates the parent -- in this case, "base.html". At that point, the template engine will notice the three :ttag:`block` tags in ``base.html`` and replace those blocks with the contents of the child template. Depending on the value of ``blog_entries``, the output might look like: .. code-block:: html+django My amazing blog

Entry one

This is my first entry.

Entry two

This is my second entry.

Note that since the child template didn't define the ``sidebar`` block, the value from the parent template is used instead. Content within a ``{% block %}`` tag in a parent template is always used as a fallback. You can use as many levels of inheritance as needed. One common way of using inheritance is the following three-level approach: * Create a ``base.html`` template that holds the main look-and-feel of your site. * Create a ``base_SECTIONNAME.html`` template for each "section" of your site. For example, ``base_news.html``, ``base_sports.html``. These templates all extend ``base.html`` and include section-specific styles/design. * Create individual templates for each type of page, such as a news article or blog entry. These templates extend the appropriate section template. This approach maximizes code reuse and helps to add items to shared content areas, such as section-wide navigation. Here are some tips for working with inheritance: * If you use :ttag:`{% extends %}` in a template, it must be the first template tag in that template. Template inheritance won't work, otherwise. * More :ttag:`{% block %}` tags in your base templates are better. Remember, child templates don't have to define all parent blocks, so you can fill in reasonable defaults in a number of blocks, then only define the ones you need later. It's better to have more hooks than fewer hooks. * If you find yourself duplicating content in a number of templates, it probably means you should move that content to a ``{% block %}`` in a parent template. * If you need to get the content of the block from the parent template, the ``{{ block.super }}`` variable will do the trick. This is useful if you want to add to the contents of a parent block instead of completely overriding it. Data inserted using ``{{ block.super }}`` will not be automatically escaped (see the `next section`_), since it was already escaped, if necessary, in the parent template. * By using the same template name as you are inheriting from, :ttag:`{% extends %}` can be used to inherit a template at the same time as overriding it. Combined with ``{{ block.super }}``, this can be a powerful way to make small customizations. See :ref:`extending_an_overridden_template` in the *Overriding templates* How-to for a full example. * Variables created outside of a :ttag:`{% block %}` using the template tag ``as`` syntax can't be used inside the block. For example, this template doesn't render anything: .. code-block:: html+django {% translate "Title" as title %} {% block content %}{{ title }}{% endblock %} * For extra readability, you can optionally give a *name* to your ``{% endblock %}`` tag. For example: .. code-block:: html+django {% block content %} ... {% endblock content %} In larger templates, this technique helps you see which ``{% block %}`` tags are being closed. * :ttag:`{% block %}` tags are evaluated first. That's why the content of a block is always overridden, regardless of the truthiness of surrounding tags. For example, this template will *always* override the content of the ``title`` block: .. code-block:: html+django {% if change_title %} {% block title %}Hello!{% endblock title %} {% endif %} Finally, note that you can't define multiple :ttag:`block` tags with the same name in the same template. This limitation exists because a block tag works in "both" directions. That is, a block tag doesn't just provide a hole to fill -- it also defines the content that fills the hole in the *parent*. If there were two similarly-named :ttag:`block` tags in a template, that template's parent wouldn't know which one of the blocks' content to use. .. _template-partials: Template partials ================= .. versionadded:: 6.0 Template partials define reusable template fragments within a template file. They are self-contained components that can be rendered multiple times within the same template, helping to avoid repetition and maintain consistent output. Basic syntax ------------ A partial can be defined using the :ttag:`partialdef` tag: .. code-block:: html+django :caption: ``authors.html`` {% partialdef user-info %}

{% endpartialdef %} For extra readability, the name can be included in the ``{% endpartialdef %}`` closing tag: .. code-block:: html+django {% partialdef user-info %} {# ... #} {% endpartialdef user-info %} The template fragment can be rendered using the :ttag:`partial` tag: .. code-block:: html+django {% partial user-info %} Fragment reuse -------------- A template fragment can be reused multiple times: .. code-block:: html+django :caption: ``authors.html`` {% block content %}

Authors

{% for user in authors %} {% partial user-info %} {% endfor %}

Editors

{% for user in editors %} {% partial user-info %} {% endfor %} {% endblock %} The partial content is rendered each time the named partial is used, with the current template context. .. _template-partials-inline: Inline partials --------------- A template fragment can be defined and rendered in-place using the ``inline`` argument. This defines the partial for later reuse while also rendering it immediately at its definition: .. code-block:: html+django {# Define and render immediately. #} {% partialdef user-info inline %}

{% endpartialdef %} {# Other page content here. #} {# Reuse later elsewhere in the template. #}

Featured Authors

{% for user in featured %} {% partial user-info %} {% endfor %}

.. _template-partials-direct-access: Accessing partials directly --------------------------- Template fragments defined with :ttag:`partialdef` can be accessed directly via template loading or inclusion using the ``template.html#partial_name`` syntax. For example, using the :func:`~django.shortcuts.render` shortcut, the following code renders only the partial named ``user-info`` defined in the ``authors.html`` template:: from django.contrib.auth.models import User from django.shortcuts import get_object_or_404, render def user_info_partial(request, user_id): user = get_object_or_404(User, id=user_id) return render(request, "authors.html#user-info", {"user": user}) This approach is particularly useful for AJAX-style requests that update only specific portions of a page with the rendered template fragment. Template partials can also be included using the :ttag:`include` template tag with the same ``#`` directive: .. code-block:: html+django {% include "authors.html#user-info" %} Context handling ---------------- Template partials are rendered with the current template context. They work as expected in loops and with context variables: .. code-block:: html+django {% for user in users %} {% partial user-info %} {% endfor %} Context variables can be adjusted using the :ttag:`with` tag: .. code-block:: html+django {% with user=featured_author %}

Featured Author of the Month

{% partial user-info %} {% endwith %} .. _next section: #automatic-html-escaping .. _automatic-html-escaping: Automatic HTML escaping ======================= When generating HTML from templates, there's always a risk that a variable will include characters that affect the resulting HTML. For example, consider this template fragment: .. code-block:: html+django Hello, {{ name }} At first, this seems like a harmless way to display a user's name, but consider what would happen if the user entered their name as this: .. code-block:: html+django With this name value, the template would be rendered as: .. code-block:: html+django Hello, ...which means the browser would pop-up a JavaScript alert box! Similarly, what if the name contained a ``'<'`` symbol, like this? .. code-block:: html username That would result in a rendered template like this: .. code-block:: html+django Hello, username ...which, in turn, would result in the remainder of the web page being in bold! Clearly, user-submitted data shouldn't be trusted blindly and inserted directly into your web pages, because a malicious user could use this kind of hole to do potentially bad things. This type of security exploit is called a `Cross Site Scripting`_ (XSS) attack. To avoid this problem, you have two options: * One, you can make sure to run each untrusted variable through the :tfilter:`escape` filter (documented below), which converts potentially harmful HTML characters to unharmful ones. This was the default solution in Django for its first few years, but the problem is that it puts the onus on *you*, the developer / template author, to ensure you're escaping everything. It's easy to forget to escape data. * Two, you can take advantage of Django's automatic HTML escaping. The remainder of this section describes how auto-escaping works. By default in Django, every template automatically escapes the output of every variable tag. Specifically, these five characters are escaped: * ``<`` is converted to ``<`` * ``>`` is converted to ``>`` * ``'`` (single quote) is converted to ``'`` * ``"`` (double quote) is converted to ``"`` * ``&`` is converted to ``&`` Again, we stress that this behavior is on by default. If you're using Django's template system, you're protected. .. _Cross Site Scripting: https://en.wikipedia.org/wiki/Cross-site_scripting How to turn it off ------------------ If you don't want data to be auto-escaped, on a per-site, per-template level or per-variable level, you can turn it off in several ways. Why would you want to turn it off? Because sometimes, template variables contain data that you *intend* to be rendered as raw HTML, in which case you don't want their contents to be escaped. For example, you might store a blob of HTML in your database and want to embed that directly into your template. Or, you might be using Django's template system to produce text that is *not* HTML -- like an email message, for instance. For individual variables ~~~~~~~~~~~~~~~~~~~~~~~~ To disable auto-escaping for an individual variable, use the :tfilter:`safe` filter: .. code-block:: html+django This will be escaped: {{ data }} This will not be escaped: {{ data|safe }} Think of *safe* as shorthand for *safe from further escaping* or *can be safely interpreted as HTML*. In this example, if ``data`` contains ``''``, the output will be: .. code-block:: html+django This will be escaped: <b> This will not be escaped: For template blocks ~~~~~~~~~~~~~~~~~~~ To control auto-escaping for a template, wrap the template (or a particular section of the template) in the :ttag:`autoescape` tag, like so: .. code-block:: html+django {% autoescape off %} Hello {{ name }} {% endautoescape %} The :ttag:`autoescape` tag takes either ``on`` or ``off`` as its argument. At times, you might want to force auto-escaping when it would otherwise be disabled. Here is an example template: .. code-block:: html+django Auto-escaping is on by default. Hello {{ name }} {% autoescape off %} This will not be auto-escaped: {{ data }}. Nor this: {{ other_data }} {% autoescape on %} Auto-escaping applies again: {{ name }} {% endautoescape %} {% endautoescape %} The auto-escaping tag passes its effect onto templates that extend the current one as well as templates included via the :ttag:`include` tag, just like all block tags. For example: .. code-block:: html+django :caption: ``base.html`` {% autoescape off %}
{% block title %}{% endblock %}
{% block content %} {% endblock %} {% endautoescape %} .. code-block:: html+django :caption: ``child.html`` {% extends "base.html" %} {% block title %}This & that{% endblock %} {% block content %}{{ greeting }}{% endblock %} Because auto-escaping is turned off in the base template, it will also be turned off in the child template, resulting in the following rendered HTML when the ``greeting`` variable contains the string ``Hello!``: .. code-block:: html+django
This & that
Hello! Notes ----- Generally, template authors don't need to worry about auto-escaping very much. Developers on the Python side (people writing views and custom filters) need to think about the cases in which data shouldn't be escaped, and mark data appropriately, so things Just Work in the template. If you're creating a template that might be used in situations where you're not sure whether auto-escaping is enabled, then add an :tfilter:`escape` filter to any variable that needs escaping. When auto-escaping is on, there's no danger of the :tfilter:`escape` filter *double-escaping* data -- the :tfilter:`escape` filter does not affect auto-escaped variables. .. _string-literals-and-automatic-escaping: String literals and automatic escaping -------------------------------------- As we mentioned earlier, filter arguments can be strings: .. code-block:: html+django {{ data|default:"This is a string literal." }} All string literals are inserted **without** any automatic escaping into the template -- they act as if they were all passed through the :tfilter:`safe` filter. The reasoning behind this is that the template author is in control of what goes into the string literal, so they can make sure the text is correctly escaped when the template is written. This means you would write : .. code-block:: html+django {{ data|default:"3 < 2" }} ...rather than: .. code-block:: html+django {{ data|default:"3 < 2" }} {# Bad! Don't do this. #} This doesn't affect what happens to data coming from the variable itself. The variable's contents are still automatically escaped, if necessary, because they're beyond the control of the template author. .. _template-accessing-methods: Accessing method calls ====================== Most method calls attached to objects are also available from within templates. This means that templates have access to much more than just class attributes (like field names) and variables passed in from views. For example, the Django ORM provides the :ref:`"entry_set"` syntax for finding a collection of objects related on a foreign key. Therefore, given a model called "comment" with a foreign key relationship to a model called "task" you can loop through all comments attached to a given task like this: .. code-block:: html+django {% for comment in task.comment_set.all %} {{ comment }} {% endfor %} Similarly, :doc:`QuerySets` provide a ``count()`` method to count the number of objects they contain. Therefore, you can obtain a count of all comments related to the current task with: .. code-block:: html+django {{ task.comment_set.all.count }} You can also access methods you've explicitly defined on your own models: .. code-block:: python :caption: ``models.py`` class Task(models.Model): def foo(self): return "bar" .. code-block:: html+django :caption: ``template.html`` {{ task.foo }} Because Django intentionally limits the amount of logic processing available in the template language, it is not possible to pass arguments to method calls accessed from within templates. Data should be calculated in views, then passed to templates for display. .. _loading-custom-template-libraries: Custom tag and filter libraries =============================== Certain applications provide custom tag and filter libraries. To access them in a template, ensure the application is in :setting:`INSTALLED_APPS` (we'd add ``'django.contrib.humanize'`` for this example), and then use the :ttag:`load` tag in a template: .. code-block:: html+django {% load humanize %} {{ 45000|intcomma }} In the above, the :ttag:`load` tag loads the ``humanize`` tag library, which then makes the ``intcomma`` filter available for use. If you've enabled :mod:`django.contrib.admindocs`, you can consult the documentation area in your admin to find the list of custom libraries in your installation. The :ttag:`load` tag can take multiple library names, separated by spaces. Example: .. code-block:: html+django {% load humanize i18n %} See :doc:`/howto/custom-template-tags` for information on writing your own custom template libraries. Custom libraries and template inheritance ----------------------------------------- When you load a custom tag or filter library, the tags/filters are only made available to the current template -- not any parent or child templates along the template-inheritance path. For example, if a template ``foo.html`` has ``{% load humanize %}``, a child template (e.g., one that has ``{% extends "foo.html" %}``) will *not* have access to the humanize template tags and filters. The child template is responsible for its own ``{% load humanize %}``. This is a feature for the sake of maintainability and sanity. .. seealso:: :doc:`The Templates Reference ` Covers built-in tags, built-in filters, using an alternative template language, and more.

{{ section.title }}

{{ story.headline|upper }}

{{ entry.title }}