diff options
| author | Tim Graham <timograham@gmail.com> | 2014-03-21 13:17:10 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2014-03-21 13:17:10 -0400 |
| commit | 1ea44a3abd4e58777247a095afd03dd01efdef55 (patch) | |
| tree | 8d85b10f7c3e9713891d7f9605654f481a1b178a /docs | |
| parent | 274048351ae2fc35995645a6dad7c98f74f51eb1 (diff) | |
Switched {% cycle %} and {% firstof %} tags to auto-escape their variables per deprecation timeline.
refs #17906.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/ref/templates/builtins.txt | 58 |
1 files changed, 11 insertions, 47 deletions
diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt index 4f8102c003..a73ba87d75 100644 --- a/docs/ref/templates/builtins.txt +++ b/docs/ref/templates/builtins.txt @@ -102,13 +102,11 @@ this:: </tr> {% endfor %} -Note that the variables included in the cycle will not be escaped. Any HTML or -Javascript code contained in the printed variable will be rendered as-is, which -could potentially lead to security issues. So either make sure that you trust -their values or use explicit escaping like this:: +Variables included in the cycle will be escaped. You can disable auto-escaping +with:: {% for o in some_list %} - <tr class="{% filter force_escape %}{% cycle rowvalue1 rowvalue2 %}{% endfilter %}"> + <tr class="{% autoescape off %}{% cycle rowvalue1 rowvalue2 %}{% endautoescape ... </tr> {% endfor %} @@ -196,21 +194,6 @@ In this syntax, each value gets interpreted as a literal string, and there's no way to specify variable values. Or literal commas. Or spaces. Did we mention you shouldn't use this syntax in any new projects? -.. versionchanged:: 1.6 - -To improve safety, future versions of ``cycle`` will automatically escape -their output. You're encouraged to activate this behavior by loading -``cycle`` from the ``future`` template library:: - - {% load cycle from future %} - -When using the ``future`` version, you can disable auto-escaping with:: - - {% for o in some_list %} - <tr class="{% autoescape off %}{% cycle rowvalue1 rowvalue2 %}{% endautoescape %}"> - ... - </tr> - {% endfor %} .. templatetag:: debug @@ -268,10 +251,8 @@ Sample usage:: firstof ^^^^^^^ -Outputs the first argument variable that is not False. This tag does *not* -auto-escape variable values. - -Outputs nothing if all the passed variables are False. +Outputs the first argument variable that is not ``False``. Outputs nothing if +all the passed variables are ``False``. Sample usage:: @@ -292,32 +273,15 @@ passed variables are False:: {% firstof var1 var2 var3 "fallback value" %} -Note that currently the variables included in the firstof tag will not be -escaped. Any HTML or Javascript code contained in the printed variable will be -rendered as-is, which could potentially lead to security issues. If you need -to escape the variables in the firstof tag, you must do so explicitly:: +This tag auto-escapes variable values. You can disable auto-escaping with:: - {% filter force_escape %} - {% firstof var1 var2 var3 "fallback value" %} - {% endfilter %} - -.. versionchanged:: 1.6 - - To improve safety, future versions of ``firstof`` will automatically escape - their output. You're encouraged to activate this behavior by loading - ``firstof`` from the ``future`` template library:: - - {% load firstof from future %} - - When using the ``future`` version, you can disable auto-escaping with:: - - {% autoescape off %} - {% firstof var1 var2 var3 "<strong>fallback value</strong>" %} - {% endautoescape %} + {% autoescape off %} + {% firstof var1 var2 var3 "<strong>fallback value</strong>" %} + {% endautoescape %} - Or if only some variables should be escaped, you can use:: +Or if only some variables should be escaped, you can use:: - {% firstof var1 var2|safe var3 "<strong>fallback value</strong>"|safe %} + {% firstof var1 var2|safe var3 "<strong>fallback value</strong>"|safe %} .. templatetag:: for |
