blocktrans auto escape peculiarity

[Gruffudd Williams]

This does not auto escape value:

{% blocktrans %}This string will have {{ value }} inside.{% endblocktrans %}

but this does:

{% blocktrans value as value %}This string will have {{ value }} inside.{% endblocktrans %}

I think the auto escaping should work in both cases.

[Gruffudd Williams]

On second thought, perhaps this is invalid.
It's to do with the order in which substitution is done. In the first example the substitution is done before translation, which doesn't make sense in most cases anyway.

[Malcolm Tredinnick]

I believe your initial report more than your conclusion. :-)

It seems somewhat inconsistent and I can't really see why the behaviours should be different. Your comment seems to explain why they are different due to the implementation, but that's not necessarily good behaviour. I'm going to reopen this, because we need better behaviour here. At the very least, this would have to be something that was very clearly documented, but it's going to take a bit to convince me that the two versions should just behave exactly the same way.

[Gruffudd Williams]

If I understand correctly, one of the downsides of adding auto escaping to the first example is that the po file would potentially need html-entitied strings in msgid="bla&bla" in order for a translation to match.
Not doing it, however, means a potential xss hole if somebody forgets to specify the variable in the blocktrans tag.

[Marc Garcia]

It looks like this ticket was a duplicate of #10369, and it was fixed on [10519].