[Django]-How do I output HTML in a message in the new Django messages framework?

by

98👍

Another option is to use extra_tags keyword arg to indicate that a message is safe. Eg

messages.error(request, 'Here is a <a href="/">link</a>', extra_tags='safe')

then use template logic to use the safe filter

{% for message in messages %}
    <li class="{{ message.tags }}">
    {% if 'safe' in message.tags %}{{ message|safe }}{% else %}{{ message }}{% endif %}
    </li>
{% endfor %}
👤DavidWinterbottom

30👍

This worked for me (Django 1.11):

from django.contrib import messages
from django.utils.safestring import mark_safe

messages.info(request, mark_safe('This is link to <a href="http://google.com">http://google.com</a>'))
👤valex

27👍

As noted in the following Django ticket, it should work if you use mark_safe() in combination with the SessionStorage backend: https://code.djangoproject.com/ticket/14976#comment:9

👤jphalip

17👍

Have you tried {{ message | safe }}?

In the Django template system template variables are always escaped, unless you specify them as safe with the safe filter. This default makes even the unaware protected against an injection attack.

I’m not sure how that interacts with mark_safe, but perhaps something happened in between that made it unsafe again.

👤Danny Roberts

7👍

You can use format_html. It applies escaping to all arguments.

For example, if we can link with a ‘mymodel’ detail using an attribute call ‘name’:

from django.contrib import messages
from django.utils.html import format_html


message = format_html("{} <a href='{}'>{}</a>",
                      "This is the mymodel", 
                      reverse('myapp:mymodel-detail', args=(mymodel.id,)),
                      mymodel.name)
messages.info(request, message)

This answer is based on https://stackoverflow.com/a/33751717/3816639

👤negas

2👍

As Ryan Kaske said here, the correct way is to use {{ message.message }} instead of {{ message }}. e.g.

{% if messages %}
    <ul class="messagelist">
        {% for message in messages %}
            <li>{{ message.message }}</li>
        {% endfor %}
    </ul>
{% endif %}
👤Taha Jahangir

1👍

The entire point of the templating system is to deal with strings and data like this.

While every other answer instructs you to mark your built string as safe, I would go one step further and tell you to never use HTML in your code – always use a template instead.

The template system makes sure things are properly escaped so you don’t have to worry about it, and it’s much harder for the programmer to get into the situation where they’re building up an HTML string out of a bunch of ifs, and user data.

app/templates/app/fragments/google_link.html:

<a href="https://www.google.com">Here's Google!</a>

views.py:

from django.template import loader

...

def view(request):
    messages.info(
        request,
        loader.render_to_string(
            'app/fragments/google_link.html',
            {},
            request=request,
        ),
    )
👤Adam Barnes

0👍

I was looking for a way to use unescaped HTML in an admin listing. Not sure if this applies to the messages framework, but using allow_tags as described here helped me.

http://urlencode.blogspot.com/2009/10/neat-django-admin-tricks-part-1.html

👤Larry

Leave a comment