summaryrefslogtreecommitdiff
path: root/docs/ref
diff options
context:
space:
mode:
authorVladimir A Filonov <vladimir@labbler.com>2013-02-23 15:07:21 +0100
committerAymeric Augustin <aymeric.augustin@m4x.org>2013-02-23 16:16:39 +0100
commitf49e9a517f2fdc1d9ed7ac841ace77636cbd6747 (patch)
tree412736a26abc5b88aeac224820be51c381cef2e7 /docs/ref
parenta61dbd62193d036d082fdad4d1af3b48ebec4fb3 (diff)
Fixed #17906 - Autoescaping {% cycle %} and {% firstof %} templatetags.
This commit adds "future" version of these two tags with auto-escaping enabled.
Diffstat (limited to 'docs/ref')
-rw-r--r--docs/ref/templates/builtins.txt55
1 files changed, 43 insertions, 12 deletions
diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt
index cfc57cc551..149a557356 100644
--- a/docs/ref/templates/builtins.txt
+++ b/docs/ref/templates/builtins.txt
@@ -147,9 +147,8 @@ You can use any number of values in a ``{% cycle %}`` tag, separated by spaces.
Values enclosed in single (``'``) or double quotes (``"``) are treated as
string literals, while values without quotes are treated as template variables.
-Note that the variables included in the cycle will not be escaped.
-This is because template tags do not escape their content. Any HTML or
-Javascript code contained in the printed variable will be rendered
+Note that currently the variables included in the cycle will not be escaped.
+Any HTML or Javascript code contained in the printed variable will be rendered
as-is, which could potentially lead to security issues.
For backwards compatibility, the ``{% cycle %}`` tag supports the much inferior
@@ -190,6 +189,22 @@ call to ``{% cycle %}`` doesn't specify silent::
{% cycle 'row1' 'row2' as rowcolors silent %}
{% cycle rowcolors %}
+.. versionchanged:: 1.6
+
+To improve safety, future versions of ``cycle`` will automatically escape
+their output. You're encouraged to activate this behavior by loading
+``cycle`` from the ``future`` template library::
+
+ {% load cycle from future %}
+
+When using the ``future`` version, you can disable auto-escaping with::
+
+ {% for o in some_list %}
+ <tr class="{% autoescape off %}{% cycle rowvalue1 rowvalue2 %}{% endautoescape %}">
+ ...
+ </tr>
+ {% endfor %}
+
.. templatetag:: debug
debug
@@ -257,28 +272,44 @@ This is equivalent to::
{% if var1 %}
{{ var1|safe }}
- {% else %}{% if var2 %}
+ {% elif var2 %}
{{ var2|safe }}
- {% else %}{% if var3 %}
+ {% elif var3 %}
{{ var3|safe }}
- {% endif %}{% endif %}{% endif %}
+ {% endif %}
You can also use a literal string as a fallback value in case all
passed variables are False::
{% firstof var1 var2 var3 "fallback value" %}
-Note that the variables included in the firstof tag will not be
-escaped. This is because template tags do not escape their content.
-Any HTML or Javascript code contained in the printed variable will be
-rendered as-is, which could potentially lead to security issues. If you
-need to escape the variables in the firstof tag, you must do so
-explicitly::
+Note that currently the variables included in the firstof tag will not be
+escaped. Any HTML or Javascript code contained in the printed variable will be
+rendered as-is, which could potentially lead to security issues. If you need
+to escape the variables in the firstof tag, you must do so explicitly::
{% filter force_escape %}
{% firstof var1 var2 var3 "fallback value" %}
{% endfilter %}
+.. versionchanged:: 1.6
+
+To improve safety, future versions of ``firstof`` will automatically escape
+their output. You're encouraged to activate this behavior by loading
+``firstof`` from the ``future`` template library::
+
+ {% load firstof from future %}
+
+When using the ``future`` version, you can disable auto-escaping with::
+
+ {% autoescape off %}
+ {% firstof var1 var2 var3 "<strong>fallback value</strong>" %}
+ {% endautoescape %}
+
+Or if only some variables should be escaped, you can use::
+
+ {% firstof var1 var2|safe var3 "<strong>fallback value</strong>"|safe %}
+
.. templatetag:: for
for