This may be something that most people know, but I had a hard time tracking this down for some reason.
I have a couple of custom template tags that do things like get twitter feeds or my github commits. Some of them are simple inclusion tags and don't need this, however, I do have one tag that gets some data and spits it out formatted. Now, I know this may not be the best possible solution to the problem and I will eventually go back and fix this code to do something else, but for now, I wanted to make sure that the data that was being formatted inside of the template tag was being escaped so that I could avoid any XSS issues that could potentially arise.
So the easiest thing to do is to import the
from django import template
from django.utils.html import escape
register = template.Library()
data = get_some_data('whatever')
return '<p>%s</p>' % escape(data)
That's it. Now if
data has anything in it, like say a