From 8dbd8b1c295e02a678d8c177c34bedaadd3e182a Mon Sep 17 00:00:00 2001 From: Russell Keith-Magee Date: Tue, 23 Mar 2010 14:52:51 +0000 Subject: [PATCH] Fixed #13177 -- Corrected usage of firstof in admin templates. Thanks to nomulous for the report and patch. git-svn-id: http://code.djangoproject.com/svn/django/trunk@12840 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- .../contrib/admin/templates/admin/base.html | 2 +- docs/ref/templates/builtins.txt | 20 +++++++++++++------ 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/django/contrib/admin/templates/admin/base.html b/django/contrib/admin/templates/admin/base.html index d1216a114e..f3b403bdb3 100644 --- a/django/contrib/admin/templates/admin/base.html +++ b/django/contrib/admin/templates/admin/base.html @@ -25,7 +25,7 @@ {% if user.is_active and user.is_staff %}
{% trans 'Welcome,' %} - {% firstof user.first_name user.username %}. + {% filter force_escape %}{% firstof user.first_name user.username %}{% endfilter %}. {% block userlinks %} {% url django-admindocs-docroot as docsroot %} {% if docsroot %} diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt index 9e8f9825d6..2d65bb22dc 100644 --- a/docs/ref/templates/builtins.txt +++ b/docs/ref/templates/builtins.txt @@ -113,9 +113,13 @@ You can use any number of values in a ``{% cycle %}`` tag, separated by spaces. Values enclosed in single (``'``) or double quotes (``"``) are treated as string literals, while values without quotes are treated as template variables. -Note that the variables included in the cycle will not be escaped. This is -because template tags do not escape their content. If you want to escape the -variables in the cycle, you must do so explicitly:: +Note that the variables included in the cycle will not be escaped. +This is because template tags do not escape their content. Any HTML or +Javascript code contained in the printed variable will be rendered +as-is, which could potentially lead to security issues. + +If you need to escape the variables in the cycle, you must do so +explicitly:: {% filter force_escape %} {% cycle var1 var2 var3 %} @@ -203,9 +207,13 @@ passed variables are False:: {% firstof var1 var2 var3 "fallback value" %} -Note that the variables included in the firstof tag will not be escaped. This -is because template tags do not escape their content. If you want to escape -the variables in the firstof tag, you must do so explicitly:: +Note that the variables included in the firstof tag will not be +escaped. This is because template tags do not escape their content. +Any HTML or Javascript code contained in the printed variable will be +rendered as-is, which could potentially lead to security issues. + +If you need to escape the variables in the firstof tag, you must do so +explicitly:: {% filter force_escape %} {% firstof var1 var2 var3 "fallback value" %}