Is jungo autostart safe?

Question

Is jungo autostart safe?

I want to display some html in django 1.0 templates and do this, I was doing something like this:

{% autoescape off %}{{ var.text }}{% endautoescape %}

and I'm just wondering how safe this is? Am I still protected from SQL injection and crossite scripting and other vulnerabilities?

=== Edit =======

This text will come from users, so what is the best way to display html in a django template safely?

+3

django templates

Joe Sep 11 '09 at 20:33

source share

3 answers

Todd Gardner · Answer 1 · 2009-09-11T20:46:35+0000

Autoescape , sql- ( , ). autoescape off , , "", , (.. , ). , , .

marcc · Answer 2 · 2009-09-11T20:58:41+0000

, HTML , , .

, (, ) ,

{% autoescape off %}
    {{ var.text }}
{% endautoescape %}

to

{{ var.text|safe }}

Ned batchelder · Answer 3 · 2009-09-11T21:25:28+0000

Regardless of whether it is safe or not, it completely depends on where var.text came from. If this is an advertising message (for example) that is completely under your control, then you are safe until you shoot in the foot. If var.text somehow came from the user, then you are in danger.

Is jungo autostart safe?

More articles: