search

marksweb / django-bleach

Bleach is a Python module that takes any HTML input, and returns valid, sanitised HTML that contains only an allowed subset of HTML tags, attributes and styles. django-bleach is a Django app that makes using bleach extremely easy.
MIT License
148 stars 23 forks source link

Propose that the model field marks retrieved data as template safe #35

Closed MrkGrgsn closed 3 years ago

MrkGrgsn commented 3 years ago

Is your feature request related to a problem? Please describe. The problem here is similar to #27 in that when writing templates that render model instances with bleached data fields you need to explicitly mark each field as template safe. I think ad-hoc use of mark_safe is a bad practice and better practice would be to do it systematically.

I would have proposed this in #27 but at the time I was thinking that the model field already did this. I realised afterward that this is actually a local modification. Sorry for the spam!

Describe the solution you'd like I would like the BleachedField model field to mark all data retrieved from the DB as template safe in from_db_value(). The data is bleached before saving so anything read back is safe.

Describe alternatives you've considered The default position is that the field doesn't mark anything safe and you need to mark bleached content as template safe every time it's used in a template. This introduces an unnecessary human element in my view.

marksweb commented 3 years ago

Thanks @MrkGrgsn - contributing certainly isn't something I'm going to consider as spam!!

I'm not really using this package too closely at the moment, so it's good to get some valuable input from someone who is!

Like your other changes, this sounds sensible to me 👍

MrkGrgsn commented 3 years ago

Cool, thanks, I'll get on to it shortly. I appreciate that you're staying involved 👍