Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Tweaked templates/builtins.txt to make it clearer that cycle and firs…

…tof filters don't auto-escape. Refs #10912

git-svn-id: http://code.djangoproject.com/svn/django/trunk@17177 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 346324f1312654e9ee76c9b435583d7b2f009c90 1 parent 9b93f1c
Adrian Holovaty authored December 09, 2011

Showing 1 changed file with 15 additions and 5 deletions. Show diff stats Hide diff stats

  1. 20  docs/ref/templates/builtins.txt
20  docs/ref/templates/builtins.txt
@@ -88,7 +88,17 @@ You can use variables, too. For example, if you have two template variables,
88 88
         </tr>
89 89
     {% endfor %}
90 90
 
91  
-Yes, you can mix variables and strings::
  91
+Note that variable arguments (``rowvalue1`` and ``rowvalue2`` above) are NOT
  92
+auto-escaped! So either make sure that you trust their values, or use explicit
  93
+escaping, like this::
  94
+
  95
+    {% for o in some_list %}
  96
+        <tr class="{% filter force_escape %}{% cycle rowvalue1 rowvalue2 %}{% endfilter %}">
  97
+            ...
  98
+        </tr>
  99
+    {% endfor %}
  100
+
  101
+You can mix variables and strings::
92 102
 
93 103
     {% for o in some_list %}
94 104
         <tr class="{% cycle 'row1' rowvalue2 'row3' %}">
@@ -232,7 +242,8 @@ Sample usage::
232 242
 firstof
233 243
 ^^^^^^^
234 244
 
235  
-Outputs the first variable passed that is not False, without escaping.
  245
+Outputs the first variable passed that is not False. Does NOT auto-escape
  246
+variable values.
236 247
 
237 248
 Outputs nothing if all the passed variables are False.
238 249
 
@@ -258,9 +269,8 @@ passed variables are False::
258 269
 Note that the variables included in the firstof tag will not be
259 270
 escaped. This is because template tags do not escape their content.
260 271
 Any HTML or Javascript code contained in the printed variable will be
261  
-rendered as-is, which could potentially lead to security issues.
262  
-
263  
-If you need to escape the variables in the firstof tag, you must do so
  272
+rendered as-is, which could potentially lead to security issues. If you
  273
+need to escape the variables in the firstof tag, you must do so
264 274
 explicitly::
265 275
 
266 276
     {% filter force_escape %}

0 notes on commit 346324f

Please sign in to comment.
Something went wrong with that request. Please try again.