Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Fixed #13177 -- Corrected usage of firstof in admin templates. Thanks…

… to nomulous for the report and patch.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@12840 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 8dbd8b1c295e02a678d8c177c34bedaadd3e182a 1 parent 985e4c8
@freakboy3742 freakboy3742 authored
View
2  django/contrib/admin/templates/admin/base.html
@@ -25,7 +25,7 @@
{% if user.is_active and user.is_staff %}
<div id="user-tools">
{% trans 'Welcome,' %}
- <strong>{% firstof user.first_name user.username %}</strong>.
+ <strong>{% filter force_escape %}{% firstof user.first_name user.username %}{% endfilter %}</strong>.
{% block userlinks %}
{% url django-admindocs-docroot as docsroot %}
{% if docsroot %}
View
20 docs/ref/templates/builtins.txt
@@ -113,9 +113,13 @@ You can use any number of values in a ``{% cycle %}`` tag, separated by spaces.
Values enclosed in single (``'``) or double quotes (``"``) are treated as
string literals, while values without quotes are treated as template variables.
-Note that the variables included in the cycle will not be escaped. This is
-because template tags do not escape their content. If you want to escape the
-variables in the cycle, you must do so explicitly::
+Note that the variables included in the cycle will not be escaped.
+This is because template tags do not escape their content. Any HTML or
+Javascript code contained in the printed variable will be rendered
+as-is, which could potentially lead to security issues.
+
+If you need to escape the variables in the cycle, you must do so
+explicitly::
{% filter force_escape %}
{% cycle var1 var2 var3 %}
@@ -203,9 +207,13 @@ passed variables are False::
{% firstof var1 var2 var3 "fallback value" %}
-Note that the variables included in the firstof tag will not be escaped. This
-is because template tags do not escape their content. If you want to escape
-the variables in the firstof tag, you must do so explicitly::
+Note that the variables included in the firstof tag will not be
+escaped. This is because template tags do not escape their content.
+Any HTML or Javascript code contained in the printed variable will be
+rendered as-is, which could potentially lead to security issues.
+
+If you need to escape the variables in the firstof tag, you must do so
+explicitly::
{% filter force_escape %}
{% firstof var1 var2 var3 "fallback value" %}
Please sign in to comment.
Something went wrong with that request. Please try again.