Home/ Questions/Q 54647
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-10T17:15:10+00:00

My Django app has a Person table, which contains the following text in a

  • 0

My Django app has a Person table, which contains the following text in a field named details:

<script>alert('Hello');</script>

When I call PersonForm.details in my template, the page renders the script accordingly (a.k.a., an alert with the word ‘Hello’ is displayed). I’m confused by this behavior because I always thought Django 1.0 autoescaped template content by default.

Any idea what may be going on here?

UPDATE: Here’s the snippet from my template. Nothing terribly sexy:

{{ person_form.details }}

UPDATE 2: I have tried escape, force-escape, and escapejs. None of these work.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. You need to mark the values as | safe I think (I’m guessing that you’re filling in the value from the database here(?)):

    {{ value|safe }}

    Could you post a sample of the template? Might make it easier to see what’s wrong

    [Edit] ..or are you saying that you want it to escape the values (make them safe)? Have you tried manually escaping the field:

    {{ value|escape }}

    [Edit2] Maybe escapejs from the Django Project docs is relevent:

    escapejs  New in Django 1.0.  Escapes characters for use in JavaScript strings. This does not make the string safe for use in HTML, but does protect you from syntax errors when using templates to generate JavaScript/JSON.

    [Edit3] What about force_escape:

        {{ value|force_escape }}

    …and I know it’s an obvious one, but you’re absolutely certain you’ve not got any caching going on in your browser? I’ve tripped over that one a few times myself 😉

    • 0