I want to display some HTML in Django 1.0
templates and to do that I have been doing something like this:
{% autoescape off %}{{ var.text }}{% endautoescape %}
and I am just wondering how safe this is? Am I still protected against SQL injection and cross-site scripting and other vulnerabilities like that?
Update:
This text will be coming from users, so what is the best way to display HTML in a Django template safely?
The autoescape would be a protection against cross site scripting, not sql injection (which you need to make sure your inputs are scrubbed). Turning autoescape off would mean you trust what is in "text", wherever it came from, not to be malicious, (ie, it should be impossible for a user to create or modify what is in text). If that assumption is valid, then you are safe against cross site scripting, otherwise, that is a security hole.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With