Embedding HTML in Django Messages
Problem
You want to embed HTML within a message using Django's messages framework.
This is a reasonably common requirement - for instance, it's common to want to include a link within the message, perhaps pointing the user towards a sign-in or registration page.
This problem exists as of Django 1.4 but may be solved within the framework in later versions.
Solution
Use the extra_tags keyword argument to pass a flag indicating that the message is safe for rendering without escaping. For example:
from django.contrib import messages
def some_view(request):
...
messages.success(request,
'Here is a <a href="/">link</a>/',
extra_tags='safe')
...Then use some simple template logic to determine whether to use the safe filter:
<ul>
{% for message in messages %}
<li class="{{ message.tags }}">
{% if 'safe' in message.tags %}
{{ message|safe }}
{% else %}
{{ message }}
{% endif %}
</li>
{% endfor %}
</ul>Discussion
It's tempting to use the safe filter for all messages but this opens up a XSS security hole if you are not careful as it's easy to include user input verbatim in the message. For instance:
from django.contrib import messages
def some_view(request):
code = request.GET['code']
...
messages.success(request, "'%s' is not valid voucher code" % code)leads to an XSS hole if the safe filter is used on all messages as the
contents of request.GET['code'] cannot be trusted. It's better to
explicitly indicate which messages can be safely rendered without escaping.
Taken from a Stack Overflow answer.
(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)
