How to prevent auto escape in Django templates?

Question

In the docs it says:

The only exceptions are variables that are already marked as “safe” from escaping, either by the code that populated the variable, or because it has had the safe or escape filters applied."

How does the "populated the variable" part work ? I'm actually looking for a way to declare a template tag as safe in the view. I somehow think it's not a good idea to let a designer decide. My co-worker will just add it whenever she 'thinks' it's a good idea.

https://docs.djangoproject.com/en/dev/ref/templates/builtins/?from=olddocs

Answer 1

Django has a subclass of strings called safe strings (specifically SafeUnicode or SafeString), which can be created using django.utils.safestring.mark_safe. When the template engine comes across a safe string it doesn't perform HTML escaping on it:

>>> from django.utils.safestring import mark_safe
>>> from django.template import Template, Context
>>> Template("{{ name }}").render(Context({'name': mark_safe('<b>Brad</b>')}))
u"<b>Brad</b>"

If you're writing your own template tag, you need to implement render() which will return a string that will be treated as safe, meaning you have to handle any escaping necessary yourself. However if you're writing a template filter, you can set the attribute is_safe = True on the filter to avoid auto escaping of the returned value, e.g.

@register.filter
def myfilter(value):
    return value
myfilter.is_safe = True

See https://docs.djangoproject.com/en/4.0/howto/custom-template-tags/#filters-and-auto-escaping for more details.

Answer 2

You could call django.utils.safestring.mark_safe and pass you variable

...
return direct_to_template('my-template.html', {'safe_var': mark_safe('<script>alert("");</script>')})

In template it will be printed without escaping (alert will popup). Though auto-escape is really a great feature that will save you from some bad things.