HTML escape problems when using as tempate filter

Question

HTML escape problems when using as tempate filter

Opened this issue 9 years ago · 1 comments

I’ve tried django-softhyphen as a template filter with Django 1.9.1, Python 3.4

When I leave autoescape on (the default), I get all the escaped, so they are being displayed as on the web page. So I have to turn off autoescape for the fields where want hyphenation, which might be a security problem, and causes problems when there are & or < in the text fields, which are then interpreted as HTML syntax. I had a company name with & and no space afterwards, which displayed as a funny special character. Putting a space after the & avoids this, but it’s still wrong HTML.

Answer 1 · 2016-06-06T12:52:10.000Z

Yeah, the templatetag needs to be wrapped in mark_safe:

from django.utils.safestring import mark_safe

@register.filter
def softhyphen(value, language=None):
    """
    Hyphenates html.
    """
    return mark_safe(hyphenate(value, language=language))

(Think about it, if that would actually be insecure...)