Challenge 3: Demonstrate Auto-Escaping — Possible Solution ==================================================================== # catalog/views.py from django.shortcuts import render def escaping_demo(request): dangerous_value = '' return render(request, "catalog/escaping_demo.html", {"value": dangerous_value})
{{ value }}
{{ value|safe }}
WHAT EACH VERSION ACTUALLY SENDS TO THE BROWSER -------------------------------------------------- {{ value }} — the escaped version — sends this literal HTML source:<script>alert("xss")</script>
The browser displays this as plain, inert TEXT on the page: It looks like a script tag when read, but it is NOT one — the angle brackets and quotes were converted to HTML entities (<, >, "), so the browser's HTML parser never recognizes it as a real The browser's HTML parser sees a genuine