How to prevent auto escape in Django templates?

Django has a subclass of strings called safe strings (specifically SafeUnicode or SafeString), which can be created using django.utils.safestring.mark_safe. When the template engine comes across a safe string it doesn't perform HTML escaping on it:

>>> from django.utils.safestring import mark_safe>>> from django.template import Template, Context>>> Template("{{ name }}").render(Context({'name': mark_safe('<b>Brad</b>')}))u"<b>Brad</b>"

If you're writing your own template tag, you need to implement render() which will return a string that will be treated as safe, meaning you have to handle any escaping necessary yourself. However if you're writing a template filter, you can set the attribute is_safe = True on the filter to avoid auto escaping of the returned value, e.g.

@register.filterdef myfilter(value):    return valuemyfilter.is_safe = True

See https://docs.djangoproject.com/en/1.3/howto/custom-template-tags/#filters-and-auto-escaping for details.

You could call django.utils.safestring.mark_safe and pass you variable

...return direct_to_template('my-template.html', {'safe_var': mark_safe('<script>alert("");</script>')})

In template it will be printed without escaping (alert will popup). Though auto-escape is really a great feature that will save you from some bad things.