[SOLVED] Strip unwanted html entieties

Strip unwanted html entieties

I'm upgrading mezzanine/django application from Mezzanine4.x/python2.7 to Mezzanine5.0/python3.7. My HTML page has been created using templatetags. Now the upgaraded page shows unwanted html entieties when checked with browser's (Firefox or Chrome) view page source feature. In python 2.7 it looks like

 <p><a href='/'>Etusivu</a> > Ajankohtaista</p>

whereas in python 3.7 it shows

  <p>&lt;a href=&#39;/&#39;&gt;Etusivu tags1&lt;/a&gt; &gt; Ajankohtaista</p>

these unwanted entieties are not seen with browser's inspect element feature.

from html:

<!doctype html>

{% load pages_tags mezzanine_tags i18n future staticfiles statfi_tags %}

<body id="{% block body_id %}body{% endblock %}">

{% block base %}
    <div id="container">
        <main id="page">
            <div class="row">
                <div id="breadcrumbs" class="col-xs-7 col-sm-8 col-md-9 col-lg-10">
                    {% block breadcrumbs %}
                        {% if page.basicpage %}
                            <p>{% anna_murut page.basicpage %}</p>
                        {% endif %}
                    {% endblock %}
                </div>                                                                                                
            </div>
            {% endblock %}
        </main>  
    </div>    
{% endblock %}

</body>
</html>

from statfi_tags.py

# -*- coding: utf-8 -*-

from django import template
from datetime import date
from page_types import models
from django.db import models
from django.contrib.sites.models import Site
from django.template import Context, RequestContext
from django.template import Library, Node
from page_types.models import BasicPage, RegisterDescPage
from mezzanine.pages.models import Page, Link
from django.utils.encoding import *

register = template.Library()

def anna_murut(BasicPage):
  sivu = BasicPage
  letka = letka = u"<a href='/'>Etusivu</a> > "     
    if not "/" + BasicPage.slug == site_url(BasicPage):
      letka += u"<a href='"+ site_url(BasicPage) +"'>"+ str(paasite(BasicPage)) +"</a> > " 
    letka += BasicPage.title
  return letka

register.simple_tag(anna_murut)

Python 2.7-version in browser:

Python 3.7-version in browser:

Any ideas how to fix python 3.7 version? I don't know it it could be fixed in python code as the unwanted entities are note seen when I print the string returned by function "anna_murut".

Solution

The newer Django versions mark simple tags as unsafe by default, that means they may contain user submitted harmful code, therefore Django will escape any "dangerous" HTML tag.

You have to mark explicitly any string returned by custom tags as safe in order to avoid the default escaping.

from django.utils.safestring import mark_safe

def anna_murut(BasicPage):
    # ...
    return mark_safe(letka)

Just make sure that letka does not contain any unescaped user-submitted content.