How do I inject actual html from the model to the template?

Question

In my admin, I have a text area where the user can input html:

<ul>
  <li>blah</li>
</ul>
<p>
  Stuffs
</p>

When I push the above to my template and I view the source of the page, I get:

<ul>
  <li>blah</li>
</ul>
<p>
  Stuffs
</p>

What should I do with my output so that I see actual html in the page source?

Answer 1

you need the 'safe' filter. As it's autoescaped.

{{ my_html|safe }}

Answer 2

See the template tags documentation here, check the autoescape tag description.

Answer 3

By “text area”, do you mean a <textarea>?

Because if so, escaping < to < (et al) is what you must do inside a textarea or any other HTML element: Django is doing the Right Thing. You see the correct, decoded version of the text on the page; who cares what the source looks like?

If you don't escape the contents of a textarea you are not only generating invalid HTML, you're also opening yourself to attacks where the user inputs:

</textarea>
<script>
    steal(document.cookie);
    location.href= 'russian malware site';
    // etc.
</script>