views:

183

answers:

3

I want to display some html in django 1.0 templates and to do that I have been doing something like this:

{% autoescape off %}{{ var.text }}{% endautoescape %}

and I am just wondering how safe this is? Am I still protected against sql injection and cross site scripting and other vulnerabilities like that?

===Edit =======

This text will be coming from users, so what is the best way to display html in a django template safely?

+3  A: 

The autoescape would be a protection against cross site scripting, not sql injection (which you need to make sure your inputs are scrubbed). Turning autoescape off would mean you trust what is in "text", wherever it came from, not to be malicious, (ie, it should be impossible for a user to create or modify what is in text). If that assumption is valid, then you are safe against cross site scripting, otherwise, that is a security hole.

Todd Gardner
+1 - great answer!
Dominic Rodger
I edited my questions above: "This text will be coming from users, so what is the best way to display html in a django template safely?"
Joe
+2  A: 

No, when you mark your HTML as safe in the template engine, you are taking the responsibility to sure it's safe to render.

Also, you can simplify (well, shorten) your code a little by changing

{% autoescape off %}
    {{ var.text }}
{% endautoescape %}

to

{{ var.text|safe }}
marcc
A: 

Whether or not this is safe depends entirely on where var.text came from. If it is a promotional message (for example) that is entirely in your control, then you're safe as long as you don't shoot yourself in the foot. If var.text somehow came from a user, then you are in danger.

Ned Batchelder