Chapter 8: Advanced Templates

Although most of your interactions with Django’s template language will be in the role of template author, you may want to customize and extend the template engine – either to make it do something it doesn’t already do, or to make your job easier in some other way.

This chapter delves deep into the guts of Django’s template system. It covers what you need to know if you plan to extend the system or if you’re just curious about how it works. It also covers the auto-escaping feature, a security measure you’ll no doubt notice over time as you continue to use Django.

Template Language Review

First, let’s quickly review a number of terms introduced in Chapter 3:

• A template is a text document, or a normal Python string, that is marked up using the Django template language. A template can contain template tags and variables.

• A template tag is a symbol within a template that does something. This definition is deliberately vague. For example, a template tag can produce content, serve as a control structure (an if statement or for loop), grab content from a database, or enable access to other template tags.

  Template tags are surrounded by {% and %}:

  {% if is_logged_in %}
      Thanks for logging in!
  {% else %}
      Please log in.
  {% endif %}
  

• A variable is a symbol within a template that outputs a value.

  Variable tags are surrounded by {{ and }}:

  My first name is {{ first_name }}. My last name is {{ last_name }}.
  

• A context is a name->value mapping (similar to a Python dictionary) that is passed to a template.

• A template renders a context by replacing the variable “holes” with values from the context and executing all template tags.

For more details about the basics of these terms, refer back to Chapter 3.

The rest of this chapter discusses ways of extending the template engine. First, though, let’s take a quick look at a few internals left out of Chapter 3 for simplicity.

RequestContext and Context Processors

When rendering a template, you need a context. This can be an instance of django.template.Context, but Django also comes with a subclass, django.template.RequestContext, that acts slightly differently.RequestContext adds a bunch of variables to your template context by default – things like the HttpRequestobject or information about the currently logged-in user. The render() shortcut creates a RequestContextunless it is passed a different context instance explicitly.

Use RequestContext when you don’t want to have to specify the same set of variables in a series of templates. For example, consider these two views:

from django.template import loader, Context

def view_1(request):
    # ...
    t = loader.get_template("template1.html")
    c = Context({
        "app": "My app",
        "user": request.user,
        "ip_address": request.META["REMOTE_ADDR"],
        "message": "I am view 1."
    })
    return t.render(c)

def view_2(request):
    # ...
    t = loader.get_template("template2.html")
    c = Context({
        "app": "My app",
        "user": request.user,
        "ip_address": request.META["REMOTE_ADDR"],
        "message": "I am the second view."
    })
    return t.render(c)

(Note that we’re deliberately not using the render() shortcut in these examples – we’re manually loading the templates, constructing the context objects and rendering the templates. We’re “spelling out” all of the steps for the purpose of clarity.)

Each view passes the same three variables – app, user and ip_address – to its template. Wouldn’t it be nice if we could remove that redundancy?

RequestContext and context processors were created to solve this problem. Context processors let you specify a number of variables that get set in each context automatically – without you having to specify the variables in each render() call. The catch is that you have to use RequestContext instead of Context when you render a template.

The most low-level way of using context processors is to create some processors and pass them toRequestContext. Here’s how the above example could be written with context processors:

from django.template import loader, RequestContext

def custom_proc(request):
    "A context processor that provides "app", "user" and "ip_address"."
    return {
        "app": "My app",
        "user": request.user,
        "ip_address": request.META["REMOTE_ADDR"]
    }

def view_1(request):
    # ...
    t = loader.get_template("template1.html")
    c = RequestContext(request, {"message": "I am view 1."},
            processors=[custom_proc])
    return t.render(c)

def view_2(request):
    # ...
    t = loader.get_template("template2.html")
    c = RequestContext(request, {"message": "I am the second view."},
            processors=[custom_proc])
    return t.render(c)

Let’s step through this code:

• First, we define a function custom_proc. This is a context processor – it takes an HttpRequest object and returns a dictionary of variables to use in the template context. That’s all it does.
• We’ve changed the two view functions to use RequestContext instead of Context. There are two differences in how the context is constructed. One, RequestContext requires the first argument to be an HttpRequestobject – the one that was passed into the view function in the first place (request). Two, RequestContexttakes an optional processors argument, which is a list or tuple of context processor functions to use. Here, we pass in custom_proc, the custom processor we defined above.
• Each view no longer has to include app, user or ip_address in its context construction, because those are provided by custom_proc.
• Each view still has the flexibility to introduce any custom template variables it might need. In this example, the message template variable is set differently in each view.

In Chapter 3, we introduced the render() shortcut, which saves you from having to callloader.get_template(), then create a Context, then call the render() method on the template. In order to demonstrate the lower-level workings of context processors, the above examples didn’t use render(), . But it’s possible – and preferable – to use context processors with render(). Do this with the context_instanceargument, like so:

from django.shortcuts import render
from django.template import RequestContext

def custom_proc(request):
    "A context processor that provides "app", "user" and "ip_address"."
    return {
        "app": "My app",
        "user": request.user,
        "ip_address": request.META["REMOTE_ADDR"]
    }

def view_1(request):
    # ...
    return render(request, "template1.html",
        {"message": "I am view 1."},
        context_instance=RequestContext(request, processors=[custom_proc]))

def view_2(request):
    # ...
    return render(request, "template2.html",
        {"message": "I am the second view."},
        context_instance=RequestContext(request, processors=[custom_proc]))

Here, we’ve trimmed down each view’s template rendering code to a single (wrapped) line.

This is an improvement, but, evaluating the conciseness of this code, we have to admit we’re now almost overdosing on the other end of the spectrum. We’ve removed redundancy in data (our template variables) at the cost of adding redundancy in code (in the processors call). Using context processors doesn’t save you much typing if you have to type processors all the time.

For that reason, Django provides support for global context processors. The context_processors setting (in your settings.py) designates which context processors should always be applied to RequestContext. This removes the need to specify processors each time you use RequestContext.

By default, context_processors is set to the following:

"context_processors": [
            "django.template.context_processors.debug",
            "django.template.context_processors.request",
            "django.contrib.auth.context_processors.auth",
            "django.contrib.messages.context_processors.messages",
        ],

This setting is a list of callables that use the same interface as our custom_proc function above – functions that take a request object as their argument and return a dictionary of items to be merged into the context. Note that the values in context_processors are specified as strings, which means the processors are required to be somewhere on your Python path (so you can refer to them from the setting).

Each processor is applied in order. That is, if one processor adds a variable to the context and a second processor adds a variable with the same name, the second will override the first.

Django provides a number of simple context processors, including the ones that are enabled by default:

auth

django.contrib.auth.context_processors.auth

If this processor is enabled, every RequestContext will contain these variables:

• user – An auth.User instance representing the currently logged-in user (or an AnonymousUser instance, if the client isn’t logged in).
• perms – An instance of django.contrib.auth.context_processors.PermWrapper, representing the permissions that the currently logged-in user has.

debug

django.template.context_processors.debug

If this processor is enabled, every RequestContext will contain these two variables – but only if your DEBUGsetting is set to True and the request’s IP address (request.META["REMOTE_ADDR"]) is in the INTERNAL_IPSsetting:

• debug – True. You can use this in templates to test whether you’re in DEBUG mode.
• sql_queries – A list of {"sql": ..., "time": ...} dictionaries, representing every SQL query that has happened so far during the request and how long it took. The list is in order by query and lazily generated on access.

i18n

django.template.context_processors.i18n

If this processor is enabled, every RequestContext will contain these two variables:

• LANGUAGES – The value of the LANGUAGES setting.
• LANGUAGE_CODE – request.LANGUAGE_CODE, if it exists. Otherwise, the value of the LANGUAGE_CODE setting.

media

django.template.context_processors.media

If this processor is enabled, every RequestContext will contain a variable MEDIA_URL, providing the value of the MEDIA_URL setting.

static

django.template.context_processors.static

If this processor is enabled, every RequestContext will contain a variable STATIC_URL, providing the value of the STATIC_URL setting.

csrf

django.template.context_processors.csrf

This processor adds a token that is needed by the csrf_token template tag for protection against Cross Site Request Forgeries (see chapter 21).

request

django.template.context_processors.request

If this processor is enabled, every RequestContext will contain a variable request, which is the currentHttpRequest.

messages

django.contrib.messages.context_processors.messages

If this processor is enabled, every RequestContext will contain these two variables:

• messages – A list of messages (as strings) that have been set via the messages framework (see Appendix H).
• DEFAULT_MESSAGE_LEVELS – A mapping of the message level names to their numeric value.

Guidelines for Writing Your Own Context Processors

A context processor has a very simple interface: It’s just a Python function that takes one argument, anHttpRequest object, and returns a dictionary that gets added to the template context. Each context processor must return a dictionary.

Here are a few tips for rolling your own:

• Make each context processor responsible for the smallest subset of functionality possible. It’s easy to use multiple processors, so you might as well split functionality into logical pieces for future reuse.
• Keep in mind that any context processor in TEMPLATE_CONTEXT_PROCESSORS will be available in every template powered by that settings file, so try to pick variable names that are unlikely to conflict with variable names your templates might be using independently. As variable names are case-sensitive, it’s not a bad idea to use all caps for variables that a processor provides.
• Custom context processors can live anywhere in your code base. All Django cares about is that your custom context processors are pointed to by the "context_processors" option in your TEMPLATES setting – or thecontext_processors argument of Engine if you’re using it directly. With that said, the convention is to save them in a file called context_processors.py within your app or project.

Automatic HTML Escaping

When generating HTML from templates, there’s always a risk that a variable will include characters that affect the resulting HTML. For example, consider this template fragment:

Hello, {{ name }}.

At first, this seems like a harmless way to display a user’s name, but consider what would happen if the user entered his name as this:

<script>alert("hello")</script>

With this name value, the template would be rendered as:

Hello, <script>alert("hello")</script>

…which means the browser would pop-up a JavaScript alert box!

Similarly, what if the name contained a "<" symbol, like this?

<b>username

That would result in a rendered template like this:

Hello, <b>username

…which, in turn, would result in the remainder of the Web page being bolded!

Clearly, user-submitted data shouldn’t be trusted blindly and inserted directly into your Web pages, because a malicious user could use this kind of hole to do potentially bad things. This type of security exploit is called a Cross Site Scripting (XSS) attack. (For more on security, see Chapter 21.)

To avoid this problem, you have two options:

• One, you can make sure to run each untrusted variable through the escape filter, which converts potentially harmful HTML characters to unharmful ones. This was the default solution in Django for its first few years, but the problem is that it puts the onus on you, the developer / template author, to ensure you’re escaping everything. It’s easy to forget to escape data.
• Two, you can take advantage of Django’s automatic HTML escaping. The remainder of this section describes how auto-escaping works.

By default in Django, every template automatically escapes the output of every variable tag. Specifically, these five characters are escaped:

• < is converted to <
• > is converted to >
• " (single quote) is converted to '
• " (double quote) is converted to "
• & is converted to &

Again, we stress that this behavior is on by default. If you’re using Django’s template system, you’re protected.

How to Turn it Off

If you don’t want data to be auto-escaped, on a per-site, per-template level or per-variable level, you can turn it off in several ways.

Why would you want to turn it off? Because sometimes, template variables contain data that you intend to be rendered as raw HTML, in which case you don’t want their contents to be escaped. For example, you might store a blob of trusted HTML in your database and want to embed that directly into your template. Or, you might be using Django’s template system to produce text that is not HTML – like an e-mail message, for instance.

For Individual Variables

To disable auto-escaping for an individual variable, use the safe filter:

This will be escaped: {{ data }}
This will not be escaped: {{ data|safe }}

Think of safe as shorthand for safe from further escaping or can be safely interpreted as HTML. In this example, if data contains "<b>", the output will be:

This will be escaped: <b>
This will not be escaped: <b>

For Template Blocks

To control auto-escaping for a template, wrap the template (or just a particular section of the template) in the autoescape tag, like so:

{% autoescape off %}
    Hello {{ name }}
{% endautoescape %}

The autoescape tag takes either on or off as its argument. At times, you might want to force auto-escaping when it would otherwise be disabled. Here is an example template:

Auto-escaping is on by default. Hello {{ name }}

{% autoescape off %}
    This will not be auto-escaped: {{ data }}.

    Nor this: {{ other_data }}
    {% autoescape on %}
        Auto-escaping applies again: {{ name }}
    {% endautoescape %}
{% endautoescape %}

The auto-escaping tag passes its effect on to templates that extend the current one as well as templates included via the include tag, just like all block tags. For example:

# base.html

{% autoescape off %}
<h1>{% block title %}{% endblock %}</h1>
{% block content %}
{% endblock %}
{% endautoescape %}

# child.html

{% extends "base.html" %}
{% block title %}This &amp; that{% endblock %}
{% block content %}{{ greeting }}{% endblock %}

Because auto-escaping is turned off in the base template, it will also be turned off in the child template, resulting in the following rendered HTML when the greeting variable contains the string <b>Hello!</b>:

<h1>This & that</h1>
<b>Hello!</b>

Generally, template authors don’t need to worry about auto-escaping very much. Developers on the Python side (people writing views and custom filters) need to think about the cases in which data shouldn’t be escaped, and mark data appropriately, so things work in the template.

If you’re creating a template that might be used in situations where you’re not sure whether auto-escaping is enabled, then add an escape filter to any variable that needs escaping. When auto-escaping is on, there’s no danger of the escape filter double-escaping data – the escape filter does not affect auto-escaped variables.

Automatic Escaping of String Literals in Filter Arguments

As we mentioned earlier, filter arguments can be strings:

{{ data|default:"This is a string literal." }}

All string literals are inserted without any automatic escaping into the template – they act as if they were all passed through the safe filter. The reasoning behind this is that the template author is in control of what goes into the string literal, so they can make sure the text is correctly escaped when the template is written.

This means you would write

{{ data|default:"3 < 2" }}

…rather than

{{ data|default:"3 < 2" }}  <-- Bad! Don"t do this.

This doesn’t affect what happens to data coming from the variable itself. The variable’s contents are still automatically escaped, if necessary, because they’re beyond the control of the template author.

Inside Template Loading

Generally, you’ll store templates in files on your filesystem rather than using the low-level Template API yourself. Save templates in a directory specified as a template directory.

Django searches for template directories in a number of places, depending on your template loading settings (see “Loader types” below), but the most basic way of specifying template directories is by using the DIRS option.

The DIRS option

Tell Django what your template directories are by using the DIRS option in the TEMPLATES setting in your settings file – or the dirs argument of Engine. This should be set to a list of strings that contain full paths to your template directories:

TEMPLATES = [
    {
        "BACKEND": "django.template.backends.django.DjangoTemplates",
        "DIRS": [
            "/home/html/templates/lawrence.com",
            "/home/html/templates/default",
        ],
    },
]

Your templates can go anywhere you want, as long as the directories and templates are readable by the Web server. They can have any extension you want, such as .html or .txt, or they can have no extension at all.

Note that these paths should use Unix-style forward slashes, even on Windows.

Loader types

By default, Django uses a filesystem-based template loader, but Django comes with a few other template loaders, which know how to load templates from other sources; the most commonly used of them, the apps loader, is described below.

FILESYSTEM LOADER

class filesystem.Loader

Loads templates from the filesystem, according to DIRS <TEMPLATES-DIRS>.

This loader is enabled by default. However it won’t find any templates until you set DIRS <TEMPLATES-DIRS>to a non-empty list:

TEMPLATES = [{
    "BACKEND": "django.template.backends.django.DjangoTemplates",
    "DIRS": [os.path.join(BASE_DIR, "templates")],
}]

APP DIRECTORIES LOADER

class app_directories.Loader

Loads templates from Django apps on the filesystem. For each app in INSTALLED_APPS, the loader looks for atemplates subdirectory. If the directory exists, Django looks for templates in there.

This means you can store templates with your individual apps. This also makes it easy to distribute Django apps with default templates.

For example, for this setting:

INSTALLED_APPS = ["myproject.reviews", "myproject.music"]

…then get_template("foo.html") will look for foo.html in these directories, in this order:

• /path/to/myproject/reviews/templates/
• /path/to/myproject/music/templates/

… and will use the one it finds first.

The order of INSTALLED_APPS is significant! For example, if you want to customize the Django admin, you might choose to override the standard admin/base_site.html template, from django.contrib.admin, with your own admin/base_site.html in myproject.reviewss. You must then make sure that your myproject.reviews comesbefore django.contrib.admin in INSTALLED_APPS, otherwise django.contrib.admin‘s will be loaded first and yours will be ignored.

Note that the loader performs an optimization when it first runs: it caches a list of which INSTALLED_APPSpackages have a templates subdirectory.

You can enable this loader simply by setting APP_DIRS to True:

TEMPLATES = [{
    "BACKEND": "django.template.backends.django.DjangoTemplates",
    "APP_DIRS": True,
}]

OTHER LOADERS

The remaining template loaders are:

• django.template.loaders.eggs.Loader
• django.template.loaders.cached.Loader
• django.template.loaders.locmem.Loader

These loaders are disabled by default, but you can activate them by adding a "loaders" option to yourDjangoTemplates backend in the TEMPLATES setting or passing a loaders argument to Engine. Details on these advanced loaders, as well as building your own custom loader, can be found on the Django Project website.

Extending the Template System

Now that you understand a bit more about the internals of the template system, let’s look at how to extend the system with custom code.

Most template customization comes in the form of custom template tags and/or filters. Although the Django template language comes with many built-in tags and filters, you’ll probably assemble your own libraries of tags and filters that fit your own needs. Fortunately, it’s quite easy to define your own functionality.

Code layout

Custom template tags and filters must live inside a Django app. If they relate to an existing app it makes sense to bundle them there; otherwise, you should create a new app to hold them.

The app should contain a templatetags directory, at the same level as models.py, views.py, etc. If this doesn’t already exist, create it – don’t forget the __init__.py file to ensure the directory is treated as a Python package. After adding this module, you will need to restart your server before you can use the tags or filters in templates.

Your custom tags and filters will live in a module inside the templatetags directory. The name of the module file is the name you’ll use to load the tags later, so be careful to pick a name that won’t clash with custom tags and filters in another app.

For example, if your custom tags/filters are in a file called review_extras.py, your app layout might look like this:

reviews/
    __init__.py
    models.py
    templatetags/
        __init__.py
        review_extras.py
    views.py

And in your template you would use the following:

highlight”>

{% load review_extras %}

The app that contains the custom tags must be in INSTALLED_APPS in order for the {% load %}<load> tag to work. This is a security feature: It allows you to host Python code for many template libraries on a single host machine without enabling access to all of them for every Django installation.

There’s no limit on how many modules you put in the templatetags package. Just keep in mind that a {% load %}<load> statement will load tags/filters for the given Python module name, not the name of the app.

To be a valid tag library, the module must contain a module-level variable named register that is atemplate.Library instance, in which all the tags and filters are registered. So, near the top of your module, put the following:

from django import template

register = template.Library()

Behind the scenes

For a ton of examples, read the source code for Django’s default filters and tags. They’re indjango/template/defaultfilters.py and django/template/defaulttags.py, respectively.

For more information on the load tag, read its documentation.

Creating a Template Library

Whether you’re writing custom tags or filters, the first thing to do is to create a template library – a small bit of infrastructure Django can hook into.

Creating a template library is a two-step process:

• First, decide which Django application should house the template library. If you’ve created an app viamanage.py startapp, you can put it in there, or you can create another app solely for the template library. We’d recommend the latter, because your filters might be useful to you in future projects.

  Whichever route you take, make sure to add the app to your INSTALLED_APPS setting. We’ll explain this shortly.

• Second, create a templatetags directory in the appropriate Django application’s package. It should be on the same level as models.py, views.py, and so forth. For example:

  books/
      __init__.py
      models.py
      templatetags/
      views.py
  

  Create two empty files in the templatetags directory: an __init__.py file (to indicate to Python that this is a package containing Python code) and a file that will contain your custom tag/filter definitions. The name of the latter file is what you’ll use to load the tags later. For example, if your custom tags/filters are in a file called review_extras.py, you’d write the following in a template:

  {% load review_extras %}
  

  The {% load %} tag looks at your INSTALLED_APPS setting and only allows the loading of template libraries within installed Django applications. This is a security feature; it allows you to host Python code for many template libraries on a single computer without enabling access to all of them for every Django installation.

If you write a template library that isn’t tied to any particular models/views, it’s valid and quite normal to have a Django application package that contains only a templatetags package. There’s no limit on how many modules you put in the templatetags package. Just keep in mind that a {% load %} statement will load tags/filters for the given Python module name, not the name of the application.

Once you’ve created that Python module, you’ll just have to write a bit of Python code, depending on whether you’re writing filters or tags.

To be a valid tag library, the module must contain a module-level variable named register that is an instance of template.Library. This is the data structure in which all the tags and filters are registered. So, near the top of your module, insert the following:

from django import template

register = template.Library()

Note

For a fine selection of examples, read the source code for Django’s default filters and tags. They’re indjango/template/defaultfilters.py and django/template/defaulttags.py, respectively. Some applications indjango.contrib also contain template libraries.

Once you’ve created this register variable, you’ll use it to create template filters and tags.

Custom template tags and filters

Django’s template language comes with a wide variety of built-in tags and filters designed to address the presentation logic needs of your application. Nevertheless, you may find yourself needing functionality that is not covered by the core set of template primitives. You can extend the template engine by defining custom tags and filters using Python, and then make them available to your templates using the {% load %}<load> tag.

Writing Custom Template Filters

Custom filters are just Python functions that take one or two arguments:

• The value of the variable (input) – not necessarily a string.
• The value of the argument – this can have a default value, or be left out altogether.

For example, in the filter {{ var|foo:"bar" }}, the filter foo would be passed the variable var and the argument "bar".

Since the template language doesn’t provide exception handling, any exception raised from a template filter will be exposed as a server error. Thus, filter functions should avoid raising exceptions if there is a reasonable fallback value to return. In case of input that represents a clear bug in a template, raising an exception may still be better than silent failure which hides the bug.

Here’s an example filter definition:

def cut(value, arg):
    """Removes all values of arg from the given string"""
    return value.replace(arg, "")

And here’s an example of how that filter would be used:

{{ somevariable|cut:"0" }}

Most filters don’t take arguments. In this case, just leave the argument out of your function. Example:

def lower(value): # Only one argument.
    """Converts a string into all lowercase"""
    return value.lower()

Registering custom filters

django.template.Library.filter()

Once you’ve written your filter definition, you need to register it with your Library instance, to make it available to Django’s template language:

register.filter("cut", cut)
register.filter("lower", lower)

The Library.filter() method takes two arguments:

1. The name of the filter – a string.
2. The compilation function – a Python function (not the name of the function as a string).

You can use register.filter() as a decorator instead:

@register.filter(name="cut")
def cut(value, arg):
    return value.replace(arg, "")

@register.filter
def lower(value):
    return value.lower()

If you leave off the name argument, as in the second example above, Django will use the function’s name as the filter name.

Finally, register.filter() also accepts three keyword arguments, is_safe, needs_autoescape, andexpects_localtime. These arguments are described in filters and auto-escaping and filters and time zones below.

Template filters that expect strings

django.template.defaultfilters.stringfilter()

If you’re writing a template filter that only expects a string as the first argument, you should use the decorator stringfilter. This will convert an object to its string value before being passed to your function:

from django import template
from django.template.defaultfilters import stringfilter

register = template.Library()

@register.filter
@stringfilter
def lower(value):
    return value.lower()

This way, you’ll be able to pass, say, an integer to this filter, and it won’t cause an AttributeError (because integers don’t have lower() methods).

Filters and auto-escaping

When writing a custom filter, give some thought to how the filter will interact with Django’s auto-escaping behavior. Note that three types of strings can be passed around inside the template code:

• Raw strings are the native Python str or unicode types. On output, they’re escaped if auto-escaping is in effect and presented unchanged, otherwise.

• Safe strings are strings that have been marked safe from further escaping at output time. Any necessary escaping has already been done. They’re commonly used for output that contains raw HTML that is intended to be interpreted as-is on the client side.

  Internally, these strings are of type SafeBytes or SafeText. They share a common base class of SafeData, so you can test for them using code like:

  if isinstance(value, SafeData):
      # Do something with the "safe" string.
      ...
  

• Strings marked as “needing escaping” are always escaped on output, regardless of whether they are in anautoescape block or not. These strings are only escaped once, however, even if auto-escaping applies.

  Internally, these strings are of type EscapeBytes or EscapeText. Generally you don’t have to worry about these; they exist for the implementation of the escape filter.

Template filter code falls into one of two situations:

1. Your filter does not introduce any HTML-unsafe characters (<, >, ", " or &) into the result that were not already present. In this case, you can let Django take care of all the auto-escaping handling for you. All you need to do is set the is_safe flag to True when you register your filter function, like so:

   @register.filter(is_safe=True)
   def myfilter(value):
       return value
   

   This flag tells Django that if a “safe” string is passed into your filter, the result will still be “safe” and if a non-safe string is passed in, Django will automatically escape it, if necessary.

   You can think of this as meaning “this filter is safe – it doesn’t introduce any possibility of unsafe HTML.”

   The reason is_safe is necessary is because there are plenty of normal string operations that will turn aSafeData object back into a normal str or unicode object and, rather than try to catch them all, which would be very difficult, Django repairs the damage after the filter has completed.

   For example, suppose you have a filter that adds the string xx to the end of any input. Since this introduces no dangerous HTML characters to the result (aside from any that were already present), you should mark your filter with is_safe:

   @register.filter(is_safe=True)
   def add_xx(value):
       return "%sxx" % value
   

   When this filter is used in a template where auto-escaping is enabled, Django will escape the output whenever the input is not already marked as “safe”.

   By default, is_safe is False, and you can omit it from any filters where it isn’t required.

   Be careful when deciding if your filter really does leave safe strings as safe. If you’re removing characters, you might inadvertently leave unbalanced HTML tags or entities in the result. For example, removing a >from the input might turn <a> into <a, which would need to be escaped on output to avoid causing problems. Similarly, removing a semicolon (;) can turn & into &amp, which is no longer a valid entity and thus needs further escaping. Most cases won’t be nearly this tricky, but keep an eye out for any problems like that when reviewing your code.

   Marking a filter is_safe will coerce the filter’s return value to a string. If your filter should return a boolean or other non-string value, marking it is_safe will probably have unintended consequences (such as converting a boolean False to the string ‘False’).

2. Alternatively, your filter code can manually take care of any necessary escaping. This is necessary when you’re introducing new HTML markup into the result. You want to mark the output as safe from further escaping so that your HTML markup isn’t escaped further, so you’ll need to handle the input yourself.

   To mark the output as a safe string, use django.utils.safestring.mark_safe().

   Be careful, though. You need to do more than just mark the output as safe. You need to ensure it really issafe, and what you do depends on whether auto-escaping is in effect. The idea is to write filters than can operate in templates where auto-escaping is either on or off in order to make things easier for your template authors.

   In order for your filter to know the current auto-escaping state, set the needs_autoescape flag to True when you register your filter function. (If you don’t specify this flag, it defaults to False). This flag tells Django that your filter function wants to be passed an extra keyword argument, called autoescape, that is True if auto-escaping is in effect and False otherwise.

   For example, let’s write a filter that emphasizes the first character of a string:

   from django import template
   from django.utils.html import conditional_escape
   from django.utils.safestring import mark_safe
   
   register = template.Library()
   
   @register.filter(needs_autoescape=True)
   def initial_letter_filter(text, autoescape=None):
       first, other = text[0], text[1:]
       if autoescape:
           esc = conditional_escape
       else:
           esc = lambda x: x
       result = "<strong>%s</strong>%s" % (esc(first), esc(other))
       return mark_safe(result)
   

   The needs_autoescape flag and the autoescape keyword argument mean that our function will know whether automatic escaping is in effect when the filter is called. We use autoescape to decide whether the input data needs to be passed through django.utils.html.conditional_escape or not. (In the latter case, we just use the identity function as the “escape” function.) The conditional_escape() function is like escape() except it only escapes input that is not a SafeData instance. If a SafeData instance is passed to conditional_escape(), the data is returned unchanged.

   Finally, in the above example, we remember to mark the result as safe so that our HTML is inserted directly into the template without further escaping.

   There’s no need to worry about the is_safe flag in this case (although including it wouldn’t hurt anything). Whenever you manually handle the auto-escaping issues and return a safe string, the is_safeflag won’t change anything either way.

Warning

Avoiding XSS vulnerabilities when reusing built-in filters

Be careful when reusing Django’s built-in filters. You’ll need to pass autoescape=True to the filter in order to get the proper autoescaping behavior and avoid a cross-site script vulnerability.

For example, if you wanted to write a custom filter called urlize_and_linebreaks that combined the urlizeand linebreaksbr filters, the filter would look like:

from django.template.defaultfilters import linebreaksbr, urlize

@register.filter
def urlize_and_linebreaks(text):
    return linebreaksbr(urlize(text, autoescape=True), autoescape=True)

Then:

highlight”>

{{ comment|urlize_and_linebreaks }}

would be equivalent to:

ass=”highlight”>

{{ comment|urlize|linebreaksbr }}

Filters and time zones

If you write a custom filter that operates on datetime objects, you’ll usually register it with theexpects_localtime flag set to True:

@register.filter(expects_localtime=True)
def businesshours(value):
    try:
        return 9 <= value.hour < 17
    except AttributeError:
        return ""

When this flag is set, if the first argument to your filter is a time zone aware datetime, Django will convert it to the current time zone before passing it to your filter when appropriate, according to rules for time zones conversions in templates.

Writing custom template tags

Tags are more complex than filters, because tags can do anything. Django provides a number of shortcuts that make writing most types of tags easier. First we’ll explore those shortcuts, then explain how to write a tag from scratch for those cases when the shortcuts aren’t powerful enough.

Simple tags

django.template.Library.simple_tag()

Many template tags take a number of arguments – strings or template variables – and return a result after doing some processing based solely on the input arguments and some external information. For example, a current_time tag might accept a format string and return the time as a string formatted accordingly.

To ease the creation of these types of tags, Django provides a helper function, simple_tag. This function, which is a method of django.template.Library, takes a function that accepts any number of arguments, wraps it in a render function and the other necessary bits mentioned above and registers it with the template system.

Our current_time function could thus be written like this:

import datetime
from django import template

register = template.Library()

@register.simple_tag
def current_time(format_string):
    return datetime.datetime.now().strftime(format_string)

A few things to note about the simple_tag helper function:

• Checking for the required number of arguments, etc., has already been done by the time our function is called, so we don’t need to do that.
• The quotes around the argument (if any) have already been stripped away, so we just receive a plain string.
• If the argument was a template variable, our function is passed the current value of the variable, not the variable itself.

If your template tag needs to access the current context, you can use the takes_context argument when registering your tag:

@register.simple_tag(takes_context=True)
def current_time(context, format_string):
    timezone = context["timezone"]
    return your_get_current_time_method(timezone, format_string)

Note that the first argument must be called context.

For more information on how the takes_context option works, see the section on inclusion tags.

If you need to rename your tag, you can provide a custom name for it:

register.simple_tag(lambda x: x - 1, name="minusone")

@register.simple_tag(name="minustwo")
def some_function(value):
    return value - 2

simple_tag functions may accept any number of positional or keyword arguments. For example:

@register.simple_tag
def my_tag(a, b, *args, **kwargs):
    warning = kwargs["warning"]
    profile = kwargs["profile"]
    ...
    return ...

Then in the template any number of arguments, separated by spaces, may be passed to the template tag. Like in Python, the values for keyword arguments are set using the equal sign (“=“) and must be provided after the positional arguments. For example:

highlight”>

{% my_tag 123 "abcd" book.title warning=message|lower profile=user.profile %}

Inclusion tags

django.template.Library.inclusion_tag()

Another common type of template tag is the type that displays some data by rendering another template. For example, Django’s admin interface uses custom template tags to display the buttons along the bottom of the “add/change” form pages. Those buttons always look the same, but the link targets change depending on the object being edited – so they’re a perfect case for using a small template that is filled with details from the current object. (In the admin’s case, this is the submit_row tag.)

These sorts of tags are called inclusion tags. Writing inclusion tags is probably best demonstrated by example. Let’s write a tag that produces a list of books for a given Author object. We’ll use the tag like this:

{% books_for_author author %}

The result will be something like this:

<ul>
    <li>The Cat In The Hat</li>
    <li>Hop On Pop</li>
    <li>Green Eggs And Ham</li>
</ul>

First, we define the function that takes the argument and produces a dictionary of data for the result. Notice that we need to return only a dictionary, not anything more complex. This will be used as the context for the template fragment:

def books_for_author(author):
    books = Book.objects.filter(authors__id=author.id)
    return {"books": books}

Next, we create the template used to render the tag’s output. Following our example, the template is very simple:

<ul>
{% for book in books %}
    <li>{{ book.title }}</li>
{% endfor %}
</ul>

Finally, we create and register the inclusion tag by calling the inclusion_tag() method on a Library object.

Following our example, if the preceding template is in a file called book_snippet.html in a directory that’s searched by the template loader, we register the tag like this:

# Here, register is a django.template.Library instance, as before
@register.inclusion_tag("book_snippet.html")
def show_reviews(review):
    ...

Alternatively it is possible to register the inclusion tag using a django.template.Template instance:

from django.template.loader import get_template
t = get_template("book_snippet.html")
register.inclusion_tag(t)(show_reviews)

…when first creating the function.

Sometimes, your inclusion tags might require a large number of arguments, making it a pain for template authors to pass in all the arguments and remember their order. To solve this, Django provides atakes_context option for inclusion tags. If you specify takes_context in creating an inclusion tag, the tag will have no required arguments, and the underlying Python function will have one argument: the template context as of when the tag was called.

For example, say you’re writing an inclusion tag that will always be used in a context that containshome_link and home_title variables that point back to the main page. Here’s what the Python function would look like:

@register.inclusion_tag("link.html", takes_context=True)
def jump_link(context):
    return {
        "link": context["home_link"],
        "title": context["home_title"],
    }

(Note that the first parameter to the function must be called context.)

The template link.html might contain the following:

Jump directly to <a href="{{ link }}">{{ title }}</a>.

Then, anytime you want to use that custom tag, load its library and call it without any arguments, like so:

{% jump_link %}

Note that when you’re using takes_context=True, there’s no need to pass arguments to the template tag. It automatically gets access to the context.

The takes_context parameter defaults to False. When it’s set to True, the tag is passed the context object, as in this example. That’s the only difference between this case and the previous inclusion_tag example.

inclusion_tag functions may accept any number of positional or keyword arguments. For example:

@register.inclusion_tag("my_template.html")
def my_tag(a, b, *args, **kwargs):
    warning = kwargs["warning"]
    profile = kwargs["profile"]
    ...
    return ...

Then in the template any number of arguments, separated by spaces, may be passed to the template tag. Like in Python, the values for keyword arguments are set using the equal sign (“=“) and must be provided after the positional arguments. For example:

highlight”>

{% my_tag 123 "abcd" book.title warning=message|lower profile=user.profile %}

Assignment tags

django.template.Library.assignment_tag()

To ease the creation of tags setting a variable in the context, Django provides a helper function,assignment_tag. This function works the same way as simple_tag() except that it stores the tag’s result in a specified context variable instead of directly outputting it.

Our earlier current_time function could thus be written like this:

@register.assignment_tag
def get_current_time(format_string):
    return datetime.datetime.now().strftime(format_string)

You may then store the result in a template variable using the as argument followed by the variable name, and output it yourself where you see fit:

highlight”>

{% get_current_time "%Y-%m-%d %I:%M %p" as the_time %}
<p>The time is {{ the_time }}.</p>

Advanced custom template tags

Sometimes the basic features for custom template tag creation aren’t enough. Don’t worry, Django gives you complete access to the internals required to build a template tag from the ground up.

A quick overview

The template system works in a two-step process: compiling and rendering. To define a custom template tag, you specify how the compilation works and how the rendering works.

When Django compiles a template, it splits the raw template text into ”nodes”. Each node is an instance of django.template.Node and has a render() method. A compiled template is, simply, a list of Node objects. When you call render() on a compiled template object, the template calls render() on each Node in its node list, with the given context. The results are all concatenated together to form the output of the template.

Thus, to define a custom template tag, you specify how the raw template tag is converted into a Node (the compilation function), and what the node’s render() method does.

Writing the compilation function

For each template tag the template parser encounters, it calls a Python function with the tag contents and the parser object itself. This function is responsible for returning a Node instance based on the contents of the tag.

For example, let’s write a full implementation of our simple template tag, {% current_time %}, that displays the current date/time, formatted according to a parameter given in the tag, in strftime() syntax. It’s a good idea to decide the tag syntax before anything else. In our case, let’s say the tag should be used like this:

<p>The time is {% current_time "%Y-%m-%d %I:%M %p" %}.</p>

The parser for this function should grab the parameter and create a Node object:

from django import template

def do_current_time(parser, token):
    try:
        # split_contents() knows not to split quoted strings.
        tag_name, format_string = token.split_contents()
    except ValueError:
        raise template.TemplateSyntaxError("%r tag requires a single argument" % token.contents.split()[0])
    if not (format_string[0] == format_string[-1] and format_string[0] in (""", """)):
        raise template.TemplateSyntaxError("%r tag"s argument should be in quotes" % tag_name)
    return CurrentTimeNode(format_string[1:-1])

Notes:

• parser is the template parser object. We don’t need it in this example.
• token.contents is a string of the raw contents of the tag. In our example, it’s "current_time "%Y-%m-%d %I:%M %p"".
• The token.split_contents() method separates the arguments on spaces while keeping quoted strings together. The more straightforward token.contents.split() wouldn’t be as robust, as it would naively split on all spaces, including those within quoted strings. It’s a good idea to always use token.split_contents().
• This function is responsible for raising django.template.TemplateSyntaxError, with helpful messages, for any syntax error.
• The TemplateSyntaxError exceptions use the tag_name variable. Don’t hard-code the tag’s name in your error messages, because that couples the tag’s name to your function. token.contents.split()[0] will ”always” be the name of your tag – even when the tag has no arguments.
• The function returns a CurrentTimeNode with everything the node needs to know about this tag. In this case, it just passes the argument – "%Y-%m-%d %I:%M %p". The leading and trailing quotes from the template tag are removed in format_string[1:-1].
• The parsing is very low-level. The Django developers have experimented with writing small frameworks on top of this parsing system, using techniques such as EBNF grammars, but those experiments made the template engine too slow. It’s low-level because that’s fastest.

Writing the renderer

The second step in writing custom tags is to define a Node subclass that has a render() method.

Continuing the above example, we need to define CurrentTimeNode:

import datetime
from django import template

class CurrentTimeNode(template.Node):
    def __init__(self, format_string):
        self.format_string = format_string

    def render(self, context):
        return datetime.datetime.now().strftime(self.format_string)

Notes:

• __init__() gets the format_string from do_current_time(). Always pass any options/parameters/arguments to a Node via its __init__().
• The render() method is where the work actually happens.
• render() should generally fail silently, particularly in a production environment where DEBUG andTEMPLATE_DEBUG are False. In some cases however, particularly if TEMPLATE_DEBUG is True, this method may raise an exception to make debugging easier. For example, several core tags raisedjango.template.TemplateSyntaxError if they receive the wrong number or type of arguments.

Ultimately, this decoupling of compilation and rendering results in an efficient template system, because a template can render multiple contexts without having to be parsed multiple times.

Auto-escaping considerations

The output from template tags is not automatically run through the auto-escaping filters. However, there are still a couple of things you should keep in mind when writing a template tag.

If the render() function of your template stores the result in a context variable (rather than returning the result in a string), it should take care to call mark_safe() if appropriate. When the variable is ultimately rendered, it will be affected by the auto-escape setting in effect at the time, so content that should be safe from further escaping needs to be marked as such.

Also, if your template tag creates a new context for performing some sub-rendering, set the auto-escape attribute to the current context

文章导航