Updated tower to enable auto-safe for gettext calls.

mozilla · Feb 18, 2011 · af21ab2 · af21ab2
1 parent fcfc836
commit af21ab2
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 12 deletions.
diff --git a/apps/examples/templates/examples/home.html b/apps/examples/templates/examples/home.html
@@ -4,7 +4,7 @@
 <h1>{{ _('Hello world') }}</h1>
 
 {# L10n: This is a localizer comment #}
-<p>{{ _('This is a test view.') }}</p>
+<p>{{ _('This is a <em>test view</em>.') }}</p>
 <p>
   {% trans docs_url='http://mozilla.github.com/playdoh/' %}
   <a href="{{ docs_url }}">Learn you some Playdoh</a> and then go build

diff --git a/docs/bestpractices.rst b/docs/bestpractices.rst
@@ -15,33 +15,37 @@ Using something like ``mystring|safe`` in a template will prevent Jinja2 from
 auto-escaping it. Sadly, this requires us to be really sure that ``mystring``
 is not raw, user-entered data. Otherwise we introduce an XSS vulnerability.
 
-``|safe`` is safe to use in cases where, for example, you have a localized
-string that contains some HTML::
+We have therefore eliminated the need for ``|safe`` for localized strings. This
+works::
 
-    {{ _('Welcome to <strong>playdoh</strong>!')|safe }}
+    {{ _('Hello <strong>world</strong>!') }}
 
 
 String interpolation
 ~~~~~~~~~~~~~~~~~~~~
 
-When you *interpolate* data into such a string, do not use ``|f(...)|safe``.
-The data could be unsafe. Instead, use the helper ``|fe(...)``. It will
-escape all its arguments before doing string interpolation, then return
-HTML that's safe to use::
+When you *interpolate* data into such a string, however, the resulting output
+will lose its "safeness" and be escaped again. To mark the *localized part*
+of an interpolated string as safe, do not use ``|f(...)|safe``. The data could
+be unsafe. Instead, use the helper ``|fe(...)``. It will escape all its
+arguments before doing string interpolation, then return HTML that's safe to
+use::
 
     {{ _('Welcome back, <strong>{username}</strong>!')|fe(username=user.display_name) }}
 
-``|f(...)|safe`` is to be considered unsafe and should not pass code review.
+``|f(...)|safe`` is to be considered unsafe and **should not pass code
+review**.
 
 If you interpolate into a base string that does *not contain HTML*, you may
-keep on using ``|f(...)`` without ``|safe``, of course, as it will be
-auto-escaped on output::
+keep on using ``|f(...)`` without ``|safe``, of course, as the auto-escaping
+won't harm anything::
 
     {{ _('Author name: {author}')|f(author=user.display_name) }}
 
 
 Form fields
 ~~~~~~~~~~~
+
 Jinja2, unlike Django templates, by default does not consider Django forms
 "safe" to display. Thus, you'd use something like ``{{ form.myfield|safe }}``.
 

diff --git a/vendor b/vendor