summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorTim Graham <timograham@gmail.com>2014-01-02 16:28:56 -0500
committerTim Graham <timograham@gmail.com>2014-01-02 16:29:59 -0500
commit07711e999779eff4296d1a363c1131dbb14acae2 (patch)
tree91409f87996c27daed2bd3ff2d59409749ce7993 /docs
parent3c699c0a5ded6f6c51c0375d46b91b326b36e16a (diff)
Fixed #21722 -- Added a warning for avoiding XSS vulnerabilities when reusing built-in filters.
Thanks Stephen McDonald for the suggestion.
Diffstat (limited to 'docs')
-rw-r--r--docs/howto/custom-template-tags.txt28
1 files changed, 28 insertions, 0 deletions
diff --git a/docs/howto/custom-template-tags.txt b/docs/howto/custom-template-tags.txt
index 1f6d2d5c75..b5cbf571b7 100644
--- a/docs/howto/custom-template-tags.txt
+++ b/docs/howto/custom-template-tags.txt
@@ -339,6 +339,34 @@ Template filter code falls into one of two situations:
handle the auto-escaping issues and return a safe string, the
``is_safe`` flag won't change anything either way.
+.. warning:: Avoiding XSS vulnerabilities when reusing built-in filters
+
+ Be careful when reusing Django's built-in filters. You'll need to pass
+ ``autoescape=True`` to the filter in order to get the proper autoescaping
+ behavior and avoid a cross-site script vulnerability.
+
+ For example, if you wanted to write a custom filter called
+ ``urlize_and_linebreaks`` that combined the :tfilter:`urlize` and
+ :tfilter:`linebreaksbr` filters, the filter would look like::
+
+ from django.template.defaultfilters import linebreaksbr, urlize
+
+ @register.filter
+ def urlize_and_linebreaks(text):
+ return linebreaksbr(urlize(text, autoescape=True), autoescape=True)
+
+ Then:
+
+ .. code-block:: html+django
+
+ {{ comment|urlize_and_linebreaks }}
+
+ would be equivalent to:
+
+ .. code-block:: html+django
+
+ {{ comment|urlize|linebreaksbr }}
+
.. _filters-timezones:
Filters and time zones