17👍
✅
Strings in Django templates are automatically escaped. You don’t want your raw HTML to be auto-escaped, so you should either pass the string to the safe filter:
{{ message|safe }}
or disable autoescape with the autoescape tag:
{% autoescape off %}
{{ message }}
{% endautoescape %}
68👍
If you don’t want to turn off autoescaping on all messages/templates, you can use mark_safe for that particular message:
from django.utils.safestring import mark_safe
messages.info(request, mark_safe("My message with an <a href='/url'>hyperlink</a>"))
And if you maybe have some unsafe parts of your message, you can use cgi.escape to escape those parts.
from cgi import escape
messages.info(request, mark_safe("%s <a href='/url'>hyperlink</a>" % escape(unsafe_value)))
👤BB.
- [Django]-Linking to the django admin site
- [Django]-Django: reverse accessors for foreign keys clashing
- [Django]-NoReverseMatch at /rest-auth/password/reset/
14👍
From https://docs.djangoproject.com/en/dev/ref/utils/#django.utils.html.format_html, another option would be to use format_html which will apply escaping to (unsafe) arguments, similar to the escaping in the Template system.
from django.utils.html import format_html
messages.info(request, format_html("My {} <a href='/url'>{}</a>", some_text, other_text))
- [Django]-Django template and the locals trick
- [Django]-Suspicious Operation Django
- [Django]-What is an efficient way of inserting thousands of records into an SQLite table using Django?
Source:stackexchange.com