django-Automatic HTML escape

First, automatic HTML escape

When generating HTML from a template, there are always variables that contain the risk of characters that affect the final HTML, for example, consider fragments of this template:

Hello, {{name}}

Initially, this is a harmless way to display the user name, but when the user enters their name, enter:

<script>alert ('123') </script>

When using this name value, the template is displayed:

Hello, <script>alert ('hello') </script>

This means that the browser will pop up a JavaScript warning box!

Obviously, the data submitted by the user should not be blindly trusted and inserted directly into your Web page, because a malicious user might use the vulnerability to do something that might be bad. This type of security vulnerability is known as cross-site Scripting (XSS) attacks.

To avoid this problem, you have two options:

• One, you can make sure that through escape The filter runs each untrusted variable (as described in the following document), converting potentially harmful HTML characters to harmless characters. This is the default solution in Django's first few years, but the problem is that it pushes the onus on you , the developer/template author, to make sure you're avoiding everything. forgetting to escape the data is easy.
• Two, you can take advantage of Django's automatic HTML escape.

by default, in Django, each template automatically escapes the output of each variable label. Specifically, these five characters are escaped:

• <Converted to<
• >Converted to>
• ‘(single quote) converted to'
• "(double quotation marks) is converted to"
• &Converted to&

again, we emphasize that this behavior is open by default. If you are using a Django template system, you will be protected.

second, how to close it

If you do not want your data to be automatically escaped, automatically escaping at each site, at each template level, or at each variable level, you can turn it off in several ways.

Why do you want to close it? because sometimes the template variable contains the data that you intend to render in the original HTML , in which case you do not want its contents to be escaped. For example, you might store a piece of HTML in your database and want to embed it directly into your template. or, you may be using a Django templating system to generate text that is not html -such as e-mail.

for individual variables

To disable automatic escaping of individual variables, use safe a filter:

 not being escaped: {{Data|safe}}

Think Safety is a security measures to avoid further escaping, or can be safely interpreted as HTML . In this example, if data included ‘<b>‘ , the output would be:

This'll be escaped: &lt;b& is not escaped: <b>

for template blocks

To control automatic escape of a template, wrap the template (or a specific part of the template) into autoescape The markup, as follows:

{% autoescape off%}    Hello {{Name}}{% endautoescape%}

the autoescape The labels are made of two on or off as its argument. Sometimes, you may need to force automatic escaping, otherwise it will be disabled. Here is an example template:

 is On by default. Hello {{Name}}{% autoescape off}    not being auto- escaped: {{data}}.    Nor this: {{other_data}}    {% Autoescape on%}        Auto-escaping applies again: {{name}}    {
    % Endautoescape%}{% endautoescape%}

The auto-escape label passes its effect to the extended current include The template for the label and The template that is included with the label , just like all block labels.

because automatic escaping is turned off in the base template, it is also closed in the child template, resulting in greeting The following rendered HTML <b>Hello!</b> is rendered when the variable contains a string :

< H1 > &amp; That</H1><b>hello! </ b >

django-Automatic HTML escape