diff options
| author | Russell Keith-Magee <russell@keith-magee.com> | 2010-03-23 14:52:51 +0000 |
|---|---|---|
| committer | Russell Keith-Magee <russell@keith-magee.com> | 2010-03-23 14:52:51 +0000 |
| commit | 8dbd8b1c295e02a678d8c177c34bedaadd3e182a (patch) | |
| tree | cdd320056211bc600aca95b5e0cfaf89af41a76d /docs/ref | |
| parent | 985e4c8dfe9d79ffc33af6dc64973c20c01f7485 (diff) | |
Fixed #13177 -- Corrected usage of firstof in admin templates. Thanks to nomulous for the report and patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12840 bcc190cf-cafb-0310-a4f2-bffc1f526a37
Diffstat (limited to 'docs/ref')
| -rw-r--r-- | docs/ref/templates/builtins.txt | 20 |
1 files changed, 14 insertions, 6 deletions
diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt index 9e8f9825d6..2d65bb22dc 100644 --- a/docs/ref/templates/builtins.txt +++ b/docs/ref/templates/builtins.txt @@ -113,9 +113,13 @@ You can use any number of values in a ``{% cycle %}`` tag, separated by spaces. Values enclosed in single (``'``) or double quotes (``"``) are treated as string literals, while values without quotes are treated as template variables. -Note that the variables included in the cycle will not be escaped. This is -because template tags do not escape their content. If you want to escape the -variables in the cycle, you must do so explicitly:: +Note that the variables included in the cycle will not be escaped. +This is because template tags do not escape their content. Any HTML or +Javascript code contained in the printed variable will be rendered +as-is, which could potentially lead to security issues. + +If you need to escape the variables in the cycle, you must do so +explicitly:: {% filter force_escape %} {% cycle var1 var2 var3 %} @@ -203,9 +207,13 @@ passed variables are False:: {% firstof var1 var2 var3 "fallback value" %} -Note that the variables included in the firstof tag will not be escaped. This -is because template tags do not escape their content. If you want to escape -the variables in the firstof tag, you must do so explicitly:: +Note that the variables included in the firstof tag will not be +escaped. This is because template tags do not escape their content. +Any HTML or Javascript code contained in the printed variable will be +rendered as-is, which could potentially lead to security issues. + +If you need to escape the variables in the firstof tag, you must do so +explicitly:: {% filter force_escape %} {% firstof var1 var2 var3 "fallback value" %} |