Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Fixed #11413 -- Added notes on the cycle and firstof tag detailing th…

…at variables output by those tags will not be escaped by default. Thanks to krystal for the report and draft patch.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@11163 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 6ed0345092110906299379ef6f1f9bb22d6f3737 1 parent f5ed3f4
@freakboy3742 freakboy3742 authored
Showing with 32 additions and 9 deletions.
  1. +10 −4 django/template/defaulttags.py
  2. +22 −5 docs/ref/templates/builtins.txt
View
14 django/template/defaulttags.py
@@ -564,7 +564,7 @@ def do_filter(parser, token):
#@register.tag
def firstof(parser, token):
"""
- Outputs the first variable passed that is not False.
+ Outputs the first variable passed that is not False, without escaping.
Outputs nothing if all the passed variables are False.
@@ -575,11 +575,11 @@ def firstof(parser, token):
This is equivalent to::
{% if var1 %}
- {{ var1 }}
+ {{ var1|safe }}
{% else %}{% if var2 %}
- {{ var2 }}
+ {{ var2|safe }}
{% else %}{% if var3 %}
- {{ var3 }}
+ {{ var3|safe }}
{% endif %}{% endif %}{% endif %}
but obviously much cleaner!
@@ -589,6 +589,12 @@ def firstof(parser, token):
{% firstof var1 var2 var3 "fallback value" %}
+ If you want to escape the output, use a filter tag::
+
+ {% filter force_escape %}
+ {% firstof var1 var2 var3 "fallback value" %}
+ {% endfilter %}
+
"""
bits = token.split_contents()[1:]
if len(bits) < 1:
View
27 docs/ref/templates/builtins.txt
@@ -101,6 +101,14 @@ You can use any number of values in a ``{% cycle %}`` tag, separated by spaces.
Values enclosed in single (``'``) or double quotes (``"``) are treated as
string literals, while values without quotes are treated as template variables.
+Note that the variables included in the cycle will not be escaped. This is
+because template tags do not escape their content. If you want to escape the
+variables in the cycle, you must do so explicitly::
+
+ {% filter force_escape %}
+ {% cycle var1 var2 var3 %}
+ {% endfilter %}
+
For backwards compatibility, the ``{% cycle %}`` tag supports the much inferior
old syntax from previous Django versions. You shouldn't use this in any new
projects, but for the sake of the people who are still using it, here's what it
@@ -160,8 +168,9 @@ Sample usage::
firstof
~~~~~~~
-Outputs the first variable passed that is not False. Outputs nothing if all the
-passed variables are False.
+Outputs the first variable passed that is not False, without escaping.
+
+Outputs nothing if all the passed variables are False.
Sample usage::
@@ -170,11 +179,11 @@ Sample usage::
This is equivalent to::
{% if var1 %}
- {{ var1 }}
+ {{ var1|safe }}
{% else %}{% if var2 %}
- {{ var2 }}
+ {{ var2|safe }}
{% else %}{% if var3 %}
- {{ var3 }}
+ {{ var3|safe }}
{% endif %}{% endif %}{% endif %}
You can also use a literal string as a fallback value in case all
@@ -182,6 +191,14 @@ passed variables are False::
{% firstof var1 var2 var3 "fallback value" %}
+Note that the variables included in the firstof tag will not be escaped. This
+is because template tags do not escape their content. If you want to escape
+the variables in the firstof tag, you must do so explicitly::
+
+ {% filter force_escape %}
+ {% firstof var1 var2 var3 "fallback value" %}
+ {% endfilter %}
+
.. templatetag:: for
for
Please sign in to comment.
Something went wrong with that request. Please try again.