Migrating into Django 1.9; question about autoescape

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Migrating into Django 1.9; question about autoescape

Bill Torcaso-2

Hello all,

I have the task of migrating a very old website from Django 1.7 to either Django 1.11 or 2.0, depending on the effort.

My plan is to go from 1.7 --> 1.8 --> 1.9 -->1.10 --> 1.11, adapting the codebase as I go.  It's been easy enough until I arrive at 1.9, and the change in template-rendering in which "autoescape" defaults to "on".

Now a lot of my payload is arriving at the browser with my HTML tags escaped.  For example,

    <button>       gets rendered as        &lt;button&gt;

I have no argument with the autoescape-on default setting.  But I am unsure how to proceed, and how large the effort will be.  As background, I am a seasoned back-end programmer and a lightweight in HTML and template issues.

I see these alternatives.  Are there any others?

  1. Get to the Template Engine object and set its autoescape attribute to "off".  This loses the protection that autoescape-on provides, restores the Django 1.8 behavior, and let me proceed with the smallest amount of effort.

    Is this the template engine I need?  "
    django.core.context_processors.request"  And how do I get to the object?

  2. Visit all of my HTML files and put "{% autoescape off %}" everywhere.

    I put "{% autoescape off %}" in my base.html, and it partially solved the problem.  But it did not get everything.

    This is a medium amount of effort, and if I make a mistake the users will have a bad experience.

  3. Visit all of my code and all of my templates, carefully converting into the world of autoescape-on.
Thanks in advance,

  ---  Bill Torcaso

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/ada6d206-7daa-4c9f-a124-dab988909093%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

RE: Migrating into Django 1.9; question about autoescape

Matthew Pava

At first, I would do your step 1.  I would check for any other errors in Django 1.8, and then proceed with updating to 1.9 -> 1.10 -> 1.11 -> 2.0.  You are probably going to find other issues that need to be resolved in those upgrades.  Ultimately, you will probably have to do step 3.  I wouldn’t do step 2 since you’ll be updating all of your templates.  If you are going to update all your templates, you might as well just do step 3.

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Bill Torcaso
Sent: Tuesday, February 13, 2018 8:54 AM
To: Django users
Subject: Migrating into Django 1.9; question about autoescape

 

 

Hello all,

 

I have the task of migrating a very old website from Django 1.7 to either Django 1.11 or 2.0, depending on the effort.

 

My plan is to go from 1.7 --> 1.8 --> 1.9 -->1.10 --> 1.11, adapting the codebase as I go.  It's been easy enough until I arrive at 1.9, and the change in template-rendering in which "autoescape" defaults to "on".

 

Now a lot of my payload is arriving at the browser with my HTML tags escaped.  For example,

 

    <button>       gets rendered as        &lt;button&gt;

 

I have no argument with the autoescape-on default setting.  But I am unsure how to proceed, and how large the effort will be.  As background, I am a seasoned back-end programmer and a lightweight in HTML and template issues.

 

I see these alternatives.  Are there any others?

 

  1. Get to the Template Engine object and set its autoescape attribute to "off".  This loses the protection that autoescape-on provides, restores the Django 1.8 behavior, and let me proceed with the smallest amount of effort.

    Is this the template engine I need?  "
    django.core.context_processors.request"  And how do I get to the object?
  2. Visit all of my HTML files and put "{% autoescape off %}" everywhere.

    I put "{% autoescape off %}" in my base.html, and it partially solved the problem.  But it did not get everything.

    This is a medium amount of effort, and if I make a mistake the users will have a bad experience.
  3. Visit all of my code and all of my templates, carefully converting into the world of autoescape-on.

Thanks in advance,

 

  ---  Bill Torcaso

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/ada6d206-7daa-4c9f-a124-dab988909093%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/123bf571f5b84231902c20fa64d1a512%40ISS1.ISS.LOCAL.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Migrating into Django 1.9; question about autoescape

Daniel Roseman-2
In reply to this post by Bill Torcaso-2
autoescape has defaulted to on since before Django 1.0; it was a massive change at the time.

The only change in escaping behaviour in 1.9 was around the output of simple tags, see https://docs.djangoproject.com/en/2.0/releases/1.9/#simple-tag-now-wraps-tag-output-in-conditional-escape - this is a very minor change which can be easily fixed within the tags themselves.
--
DR.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/7286de5a-05a8-4357-8751-02e244e5047f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.