On Wed, Feb 15, 2017 at 4:31 PM, Daniel Gustafsson <daniel@yesql.se> wrote:
> On 15 Feb 2017, at 14:09, Magnus Hagander <magnus@hagander.net> wrote: > > On Wed, Feb 15, 2017 at 1:13 PM, Daniel Gustafsson <daniel@yesql.se <mailto:daniel@yesql.se>> wrote: > > On 15 Feb 2017, at 12:52, Alvaro Herrera <alvherre@2ndquadrant.com <mailto:alvherre@2ndquadrant.com>> wrote: > > > > Daniel Gustafsson wrote: > >>> On 02 Feb 2017, at 22:47, Peter Eisentraut <peter.eisentraut@2ndquadrant.com <mailto:peter.eisentraut@2ndquadrant.com>> wrote: > >>> > >>> The docs comments coming in through pgsql-docs look like this: > >>> > >>> select instr('010000101001001','1',-1) from dual > >>> > >>> Can the escaping be fixed? > >> > >> AFAIU with Django, to avoid the escaping the form content would have to be > >> marked safe which seems.. unsafe. Given the nature of SQL and the comments we > >> get, perhaps the simple approach is to just replace the unicode quote since it > >> will be quite common? Something along the lines of the (untested) diff below? > > > > There are plenty of other characters being escaped, though. Can't we > > just do something like "parse this html piece as text" instead? > > ("unescape" I suppose). We're only sending it in a text/plain email, so > > there's no worry of misinterpreted HTML. > > Perhaps not, I guess I’m just scared about potentially “helpful” MUA’s who see > HTML and renders even if it’s in text/plain. That being said, I don’t think > I’ve seen one in quite some time. > > If a helpful MUA does that in text that's clearly set to text/plain, there is really no helping the poor soul who uses it. > > And the mails we generate don't even have a text/html part, so I think we should be perfectly safe.
Perhaps we can just run the textarea output via the unescape function from django.utils.html before rendering the mail template?
I think what you normally want to do is put |safe in the template -- so instead of {{whatever}} make it {{whatever|safe}}. That tells the template to stop auto-escaping.