Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Embedding HTML in Django Messages

DZone's Guide to

Embedding HTML in Django Messages

· Web Dev Zone
Free Resource

Add user login and MFA to your next project in minutes. Create a free Okta developer account, drop in one of our SDKs to your application and get back to building.

Problem

You want to embed HTML within a message using Django's messages framework.

This is a reasonably common requirement - for instance, it's common to want to include a link within the message, perhaps pointing the user towards a sign-in or registration page.

This problem exists as of Django 1.4 but may be solved within the framework in later versions.

Solution

Use the extra_tags keyword argument to pass a flag indicating that the message is safe for rendering without escaping. For example:

from django.contrib import messages

def some_view(request):
    ...
    messages.success(request,
                     'Here is a <a href="/">link</a>/',
                     extra_tags='safe')
    ...

Then use some simple template logic to determine whether to use the safe filter:

<ul>
    {% for message in messages %}
    <li class="{{ message.tags }}">
        {% if 'safe' in message.tags %}
            {{ message|safe }}
        {% else %}
            {{ message }}
        {% endif %}
    </li>
    {% endfor %}
</ul>

Discussion

It's tempting to use the safe filter for all messages but this opens up a XSS security hole if you are not careful as it's easy to include user input verbatim in the message. For instance:

from django.contrib import messages

def some_view(request):
    code = request.GET['code']
    ...
    messages.success(request, "'%s' is not valid voucher code" % code)

leads to an XSS hole if the safe filter is used on all messages as the contents of request.GET['code'] cannot be trusted. It's better to explicitly indicate which messages can be safely rendered without escaping.

Taken from a Stack Overflow answer.

 

Launch your application faster with Okta’s user management API. Register today for the free forever developer edition!

Topics:

Published at DZone with permission of David Winterbottom, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}