Escaping data inside django template tags

This may be something that most people know, but I had a hard time tracking this down for some reason.

I have a couple of custom template tags that do things like get twitter feeds or my github commits. Some of them are simple inclusion tags and don't need this, however, I do have one tag that gets some data and spits it out formatted. Now, I know this may not be the best possible solution to the problem and I will eventually go back and fix this code to do something else, but for now, I wanted to make sure that the data that was being formatted inside of the template tag was being escaped so that I could avoid any XSS issues that could potentially arise.

So the easiest thing to do is to import the escape function. from django import template from django.utils.html import escape

register = template.Library()

@register.simple_tag
def super_tag():
    data = get_some_data('whatever')
    return '<p>%s</p>' % escape(data)

That's it. Now if data has anything in it, like say a <script> tag with some javascript in there, you won't have to worry about any XSS. Simple and probably well known, but I'm putting this out there anyway, if not for others, for myself so I'll remember!