My Django app has a Person table, which contains the following text in a field named "details":
我的Django应用程序有一个Person表,它在名为“details”的字段中包含以下文本:
<script>alert('Hello');</script>
When I call PersonForm.details in my template, the page renders the <script> accordingly (a.k.a., an alert with the word "Hello" is displayed). I'm confused by this behavior because I always thought Django 1.0 autoescaped template content by default.
当我在模板中调用PersonForm.details时,页面会相应地呈现
Any idea what may be going on here?
知道这里可能会发生什么吗?
UPDATE: Here's the snippet from my template. Nothing terribly sexy:
更新:这是我的模板的片段。没有什么非常性感的:
{{ person_form.details }}
UPDATE 2: I have tried "escape", "force-escape", and "escapejs". None of these work.
更新2:我尝试过“逃避”,“强制逃脱”和“逃避”。这些都不起作用。
2 个解决方案
#1
4
You need to mark the values as | safe I think (I'm guessing that you're filling in the value from the database here(?)):
您需要将值标记为|安全我认为(我猜你在这里填写数据库的值(?)):
{{ value|safe }}
Could you post a sample of the template? Might make it easier to see what's wrong
你能发一个模板样本吗?可能会更容易看出什么是错的
[Edit] ..or are you saying that you want it to escape the values (make them safe)? Have you tried manually escaping the field:
[编辑] ..或者你是说你希望它逃避价值(让他们安全)?您是否尝试过手动转义字段:
{{ value|escape }}
[Edit2] Maybe escapejs from the Django Project docs is relevent:
[Edit2]也许来自Django Project docs的escapejs是相关的:
escapejs
New in Django 1.0.
Escapes characters for use in JavaScript strings. This does not make the string safe for use in HTML, but does protect you from syntax errors when using templates to generate JavaScript/JSON.
[Edit3] What about force_escape:
[Edit3] force_escape怎么样:
{{ value|force_escape }}
...and I know it's an obvious one, but you're absolutely certain you've not got any caching going on in your browser? I've tripped over that one a few times myself ;-)
...而且我知道这是显而易见的,但你绝对肯定你的浏览器没有进行任何缓存?我自己绊过那一次;-)
#2
0
Found the problem. The JSON string I'm using to render data to some Ext widgets is the culprit. Big thanks to Jon Cage. Answer accepted despite the problem being caused by another source.
发现了问题。我用来将数据呈现给某些Ext小部件的JSON字符串是罪魁祸首。非常感谢Jon Cage。尽管问题是由另一个来源引起的,但接受了答案。
#1
4
You need to mark the values as | safe I think (I'm guessing that you're filling in the value from the database here(?)):
您需要将值标记为|安全我认为(我猜你在这里填写数据库的值(?)):
{{ value|safe }}
Could you post a sample of the template? Might make it easier to see what's wrong
你能发一个模板样本吗?可能会更容易看出什么是错的
[Edit] ..or are you saying that you want it to escape the values (make them safe)? Have you tried manually escaping the field:
[编辑] ..或者你是说你希望它逃避价值(让他们安全)?您是否尝试过手动转义字段:
{{ value|escape }}
[Edit2] Maybe escapejs from the Django Project docs is relevent:
[Edit2]也许来自Django Project docs的escapejs是相关的:
escapejs
New in Django 1.0.
Escapes characters for use in JavaScript strings. This does not make the string safe for use in HTML, but does protect you from syntax errors when using templates to generate JavaScript/JSON.
[Edit3] What about force_escape:
[Edit3] force_escape怎么样:
{{ value|force_escape }}
...and I know it's an obvious one, but you're absolutely certain you've not got any caching going on in your browser? I've tripped over that one a few times myself ;-)
...而且我知道这是显而易见的,但你绝对肯定你的浏览器没有进行任何缓存?我自己绊过那一次;-)
#2
0
Found the problem. The JSON string I'm using to render data to some Ext widgets is the culprit. Big thanks to Jon Cage. Answer accepted despite the problem being caused by another source.
发现了问题。我用来将数据呈现给某些Ext小部件的JSON字符串是罪魁祸首。非常感谢Jon Cage。尽管问题是由另一个来源引起的,但接受了答案。