mirror of https://github.com/django/django.git
Fixed #21722 -- Added a warning for avoiding XSS vulnerabilities when reusing built-in filters.
Thanks Stephen McDonald for the suggestion.
This commit is contained in:
parent
3c699c0a5d
commit
07711e9997
|
@ -339,6 +339,34 @@ Template filter code falls into one of two situations:
|
|||
handle the auto-escaping issues and return a safe string, the
|
||||
``is_safe`` flag won't change anything either way.
|
||||
|
||||
.. warning:: Avoiding XSS vulnerabilities when reusing built-in filters
|
||||
|
||||
Be careful when reusing Django's built-in filters. You'll need to pass
|
||||
``autoescape=True`` to the filter in order to get the proper autoescaping
|
||||
behavior and avoid a cross-site script vulnerability.
|
||||
|
||||
For example, if you wanted to write a custom filter called
|
||||
``urlize_and_linebreaks`` that combined the :tfilter:`urlize` and
|
||||
:tfilter:`linebreaksbr` filters, the filter would look like::
|
||||
|
||||
from django.template.defaultfilters import linebreaksbr, urlize
|
||||
|
||||
@register.filter
|
||||
def urlize_and_linebreaks(text):
|
||||
return linebreaksbr(urlize(text, autoescape=True), autoescape=True)
|
||||
|
||||
Then:
|
||||
|
||||
.. code-block:: html+django
|
||||
|
||||
{{ comment|urlize_and_linebreaks }}
|
||||
|
||||
would be equivalent to:
|
||||
|
||||
.. code-block:: html+django
|
||||
|
||||
{{ comment|urlize|linebreaksbr }}
|
||||
|
||||
.. _filters-timezones:
|
||||
|
||||
Filters and time zones
|
||||
|
|
Loading…
Reference in New Issue