Why won't Django auto-escape my <script> tags?

Question

My Django app has a Person table, which contains the following text in a field named "details":

<script>alert('Hello');</script>

When I call PersonForm.details in my template, the page renders the <script> accordingly (a.k.a., an alert with the word "Hello" is displayed). I'm confused by this behavior because I always thought Django 1.0 autoescaped template content by default.

Any idea what may be going on here?

UPDATE: Here's the snippet from my template. Nothing terribly sexy:

{{ person_form.details }}

UPDATE 2: I have tried "escape", "force-escape", and "escapejs". None of these work.

Answer 1

You need to mark the values as | safe I think (I'm guessing that you're filling in the value from the database here(?)):

{{ value|safe }}

Could you post a sample of the template? Might make it easier to see what's wrong

[Edit] ..or are you saying that you want it to escape the values (make them safe)? Have you tried manually escaping the field:

{{ value|escape }}

[Edit2] Maybe escapejs from the Django Project docs is relevent:

escapejs

New in Django 1.0.

Escapes characters for use in JavaScript strings. This does not make the string safe for use in HTML, but does protect you from syntax errors when using templates to generate JavaScript/JSON.

[Edit3] What about force_escape:

    {{ value|force_escape }}

...and I know it's an obvious one, but you're absolutely certain you've not got any caching going on in your browser? I've tripped over that one a few times myself ;-)

Answer 2

Found the problem. The JSON string I'm using to render data to some Ext widgets is the culprit. Big thanks to Jon Cage. Answer accepted despite the problem being caused by another source.

Answer 3

is person_form a form? or a Person instance?

edit: Nevermind, you've solved it