Apostrophes in attributes are escaped (prevents developer from using url tag) #50

bcoughlan · 2011-11-06T21:14:06Z

action: "{% url 'django.contrib.auth.views.login' %}"

renders as:

`action='{% url "django.contrib.auth.views.login" %}'``

Which is obviously problematic. Had a poke around the code but I'm not familiar enough with it yet to track down the problem.

Is there a need to escape apostrpohes at all. Given that it's a developers language I don't see any security risk posed by it.

The text was updated successfully, but these errors were encountered:

andreif · 2011-11-07T11:21:11Z

I think this issue is related to #38 and #39. Using logic as a string with Django template tags is probably not the best idea. I believe we can add some original haml logic:

%form{action: url('django.contrib.auth.views.login')}

converted to:

<form action="{% url 'django.contrib.auth.views.login' %}">

andreif · 2011-11-07T11:23:16Z

You may be also interested in albsen#4 (comment)

#67, #69, #54 and #50 fixes

bcoughlan mentioned this issue Nov 8, 2011

Logic in attributes dictionary #38

Closed

bcoughlan mentioned this issue Feb 15, 2012

#67, #69, #54 and #50 fixes #70

Merged

jessemiller closed this as completed in 5bc169a Feb 21, 2012

jessemiller added a commit that referenced this issue Feb 21, 2012

Merge pull request #70 from bcoughlan/master

929c27e

#67, #69, #54 and #50 fixes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Apostrophes in attributes are escaped (prevents developer from using url tag) #50

Apostrophes in attributes are escaped (prevents developer from using url tag) #50

bcoughlan commented Nov 6, 2011

andreif commented Nov 7, 2011

andreif commented Nov 7, 2011

Apostrophes in attributes are escaped (prevents developer from using url tag) #50

Apostrophes in attributes are escaped (prevents developer from using url tag) #50

Comments

bcoughlan commented Nov 6, 2011

andreif commented Nov 7, 2011

andreif commented Nov 7, 2011