From: | Magnus Hagander <magnus(at)hagander(dot)net> |
---|---|
To: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
Cc: | Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, PostgreSQL WWW <pgsql-www(at)postgresql(dot)org> |
Subject: | Re: escapes in submitted docs comments |
Date: | 2017-02-15 16:23:46 |
Message-ID: | CABUevExKx=98VUPWQuCQ5UnsyXmNZtiJWLqFYk+_My1n5+0u-w@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-www |
On Wed, Feb 15, 2017 at 4:31 PM, Daniel Gustafsson <daniel(at)yesql(dot)se> wrote:
>
> > On 15 Feb 2017, at 14:09, Magnus Hagander <magnus(at)hagander(dot)net> wrote:
> >
> > On Wed, Feb 15, 2017 at 1:13 PM, Daniel Gustafsson <daniel(at)yesql(dot)se
> <mailto:daniel(at)yesql(dot)se>> wrote:
> > > On 15 Feb 2017, at 12:52, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com
> <mailto:alvherre(at)2ndquadrant(dot)com>> wrote:
> > >
> > > Daniel Gustafsson wrote:
> > >>> On 02 Feb 2017, at 22:47, Peter Eisentraut <
> peter(dot)eisentraut(at)2ndquadrant(dot)com <mailto:peter(dot)eisentraut(at)2ndquadrant(dot)com>>
> wrote:
> > >>>
> > >>> The docs comments coming in through pgsql-docs look like this:
> > >>>
> > >>> select instr('010000101001001','1',-1) from dual
> > >>>
> > >>> Can the escaping be fixed?
> > >>
> > >> AFAIU with Django, to avoid the escaping the form content would have
> to be
> > >> marked safe which seems.. unsafe. Given the nature of SQL and the
> comments we
> > >> get, perhaps the simple approach is to just replace the unicode quote
> since it
> > >> will be quite common? Something along the lines of the (untested)
> diff below?
> > >
> > > There are plenty of other characters being escaped, though. Can't we
> > > just do something like "parse this html piece as text" instead?
> > > ("unescape" I suppose). We're only sending it in a text/plain email,
> so
> > > there's no worry of misinterpreted HTML.
> >
> > Perhaps not, I guess I’m just scared about potentially “helpful” MUA’s
> who see
> > HTML and renders even if it’s in text/plain. That being said, I don’t
> think
> > I’ve seen one in quite some time.
> >
> > If a helpful MUA does that in text that's clearly set to text/plain,
> there is really no helping the poor soul who uses it.
> >
> > And the mails we generate don't even have a text/html part, so I think
> we should be perfectly safe.
>
> Perhaps we can just run the textarea output via the unescape function from
> django.utils.html before rendering the mail template?
>
>
I think what you normally want to do is put |safe in the template -- so
instead of {{whatever}} make it {{whatever|safe}}. That tells the template
to stop auto-escaping.
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
From | Date | Subject | |
---|---|---|---|
Next Message | Magnus Hagander | 2017-02-15 16:31:11 | Re: Fix unclosed div on survey page |
Previous Message | Daniel Gustafsson | 2017-02-15 16:06:16 | Fix unclosed div on survey page |