[Django] #35897: Template system: escape() calls in get_exception_info() should be removed

Fri, 08 Nov 2024 00:48:07 -0800 

#35897: Template system: escape() calls in get_exception_info() should be 
removed
-------------------------------------+-------------------------------------
     Reporter:  Klaas van Schelven   |                     Type:
                                     |  Uncategorized
       Status:  new                  |                Component:
                                     |  Uncategorized
      Version:  dev                  |                 Severity:  Normal
     Keywords:                       |             Triage Stage:
                                     |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
 
[https://github.com/django/django/blob/042b381e2e37c0c37b8a8f6cc9947f1a2ebfa0dd/django/template/base.py#L250
 Here] there are some calls to `escape()`

 They shouldn't be there: escaping happens in templates for non-safe
 strings anyway, so there's no need.

 And there _is_ a drawback: as an example, the Python Sentry SDK
 [https://github.com/getsentry/sentry-
 
python/blob/200d0cdde8eed2caa89b91db8b17baabe983d2de/sentry_sdk/integrations/django/templates.py#L32
 copies this info], but because it gets sent over the wire (as a JSON
 string) the information that this has already been escaped is lost, and on
 the receiving end it is escaped again.

 This means that on the server-side [https://www.bugsink.com/ the Error-
 tracking, in my case Bugsink] will show doubly escaped html code snippets.
 This looks something like this:


 {{{
 <p class="relative text-slate-600 text-base md:text-xl mb-4
 md:mb-5">
 }}}

 Removing the calls to `escape` simply solves this. Which makes sense:
 calling `escape` is simply not the responsibility of this piece of code,
 it should just stay marked as unsafe and be escape at the edges (on
 rendering).
-- 
Ticket URL: <https://code.djangoproject.com/ticket/35897>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/010701930af56db2-adbc9190-49e5-41f1-905b-38b9f2af2240-000000%40eu-central-1.amazonses.com.

Reply via email to