Django Double Escaping Quotes etc.

Question

I'm experiencing what I would consider somewhat strange behavior. Specifically if I have a string like this:

1984: Curriculum Unit
by Donald R. Hogue, Center for Learning, George Orwell

"A center for learning publication"--Cover.

It results in the following after being auto-escaped by the Django template system:

1984: Curriculum Unit
by Donald R. Hogue, Center for Learning, George Orwell

"A center for learning publication"--Cover.

The problem seems to be that the " (quote), which should become " is being escaped twice, resulting in &". This results in strange looking formatting. I'm using Django 1.0.2, so it should be up to date, (though I should note I'm using the Ubuntu 9.04 included package python-django) but this behavior seems contrary to the intended behavior.

I've looked a little at django.utils.html.py which includes the actual function:

def escape(html):

"""Returns the given HTML with ampersands, quotes and carets encoded."""

return mark_safe(force_unicode(html).replace('&','&amp;').replace('<','&lt;').replace('>', '&gt;').replace('"', '&quot;').replace("'",'&#39;'))

escape = allow_lazy(escape, unicode)

Anyway, that looks like it should escape the & before anything else, which would be fine. So my suspicion is that it is being called twice. Any thoughts?

Thanks.

Update: I was suspicious that it might have something to do with Ubuntu's Django, which it lists as "1.0.2-1" so I installed "1.0.2-final" and am experiencing the same problem.

Answer 1

You shouldn't have to think about escaping in 1.0 . If you have a template

<html>
 <body>
  & == &amp; in HTML
 </body>
</html>

It should encode the & to & before printing.

If you have a variable

<html>
 <body>
  {{ msg }}
 </body>
</html>

and

def view(request) :
  msg = "& == & in HTML"

if should be printed the same way.

The only time you want to do the encoding yourself is if you need to paste in raw html. Like:

def view(request) :
  msg = '<img src="http://example.com/pretty.jpg" />This picture is very pretty'

and in your template

<html>
 <body>
  {{ msg|safe }}
 </body>
</html>

Answer 2

Oh hardy har har,

Silly me, Google is so smart that they already escaped those chars in the XML I was parsing. Wouldn't you know it, an hour of fiddling only to realize Google outsmarted me again!

P.S. In case anyone else ever comes across a similar problem, I'm specifically referring to the XML returned when doing this sort of query: http://books.google.com/books/feeds/volumes?q=1984 , the data is already escaped for you! That being said, it does put me on edge a little bit because putting |safe in my templates will mean that if I ever get data from another source that I don't trust so much... Anyway, thanks for reading!