Ticket #21722: 21722.diff

File 21722.diff, 1.3 KB (added by Tim Graham, 11 years ago)
  • docs/howto/custom-template-tags.txt

    diff --git a/docs/howto/custom-template-tags.txt b/docs/howto/custom-template-tags.txt
    index 1f6d2d5..c101f48 100644
    a b Template filter code falls into one of two situations:  
    339339   handle the auto-escaping issues and return a safe string, the
    340340   ``is_safe`` flag won't change anything either way.
    341341
     342.. warning:: Avoiding XSS vulnerabilities when reusing built-in filters
     343
     344    Be careful when reusing Django's built-in filters. You'll need to pass
     345    ``autoescape=True`` to the filter in order to get the proper autoescaping
     346    behavior and avoid a cross-site script vulnerability.
     347
     348    For example, if you wanted to write a custom filter called
     349    ``urlize_and_linebreaks`` that combined the :tfilter:`urlize` and
     350    :tfilter:`linebreaksbr` filters, the filter would look like::
     351
     352        from django.template.defaultfilters import linebreaksbr, urlize
     353
     354        @register.filter
     355        def urlize_and_linebreaks(text):
     356            return linebreaksbr(urlize(s, autoescape=True), autoescape=True)
     357
     358    Then:
     359
     360    .. code-block:: html+django
     361
     362        {{ comment|urlize_and_linebreaks }}
     363
     364    would be equivalent to:
     365
     366    .. code-block:: html+django
     367
     368        {{ comment|urlize|linebreaksbr }}
     369
    342370.. _filters-timezones:
    343371
    344372Filters and time zones
Back to Top