Custom template tags and filrs

The web framework for perfectionists with deadlines.

Djangos template language comes with a wide variety ofbuilt-in tags and filtersdesigned to address the presentation logic needs of your application. Nevertheless, you may find yourself needing functionality that is not covered by the core set of template primitives. You can extend the template engine by defining custom tags and filters using Python, and then make them available to your templates using the%load%tag.

The most common place to specify custom template tags and filters is inside a Django app. If they relate to an existing app, it makes sense to bundle them there; otherwise, they can be added to a new app. When a Django app is added toINSTALLED_APPS, any tags it defines in the conventional location described below are automatically made available to load within templates.

The app should contain atemplatetagsdirectory, at the same level,, etc. If this doesnt already exist, create it – dont forget the__init__.pyfile to ensure the directory is treated as a Python package.

Development server wont automatically restart

After adding thetemplatetagsmodule, you will need to restart your server before you can use the tags or filters in templates.

Your custom tags and filters will live in a module inside thetemplatetagsdirectory. The name of the module file is the name youll use to load the tags later, so be careful to pick a name that wont clash with custom tags and filters in another app.

For example, if your custom tags/filters are in a file, your app layout might look like this:

And in your template you would use the following:

The app that contains the custom tags must be inINSTALLED_APPSin order for the%load%tag to work. This is a security feature: It allows you to host Python code for many template libraries on a single host machine without enabling access to all of them for every Django installation.

Theres no limit on how many modules you put in thetemplatetagspackage. Just keep in mind that a%load%statement will load tags/filters for the given Python module name, not the name of the app.

To be a valid tag library, the module must contain a module-level variable namedregisterthat is atemplate.Libraryinstance, in which all the tags and filters are registered. So, near the top of your module, put the following:

Alternatively, template tag modules can be registered through thelibrariesargument toDjangoTemplates. This is useful if you want to use a different label from the template tag module name when loading template tags. It also enables you to register tags without installing an application.

For a ton of examples, read the source code for Djangos default filters and tags. Theyre indjango/template/defaultfilters.pyanddjango/template/, respectively.

For more information on theloadtag, read its documentation.

Custom filters are just Python functions that take one or two arguments:

The value of the variable (input) not necessarily a string.

The value of the argument this can have a default value, or be left out altogether.

For example, in the filtervarfoo:bar, the filterfoowould be passed the variablevarand the argumentbar.

Since the template language doesnt provide exception handling, any exception raised from a template filter will be exposed as a server error. Thus, filter functions should avoid raising exceptions if there is a reasonable fallback value to return. In case of input that represents a clear bug in a template, raising an exception may still be better than silent failure which hides the bug.

Heres an example filter definition:

And heres an example of how that filter would be used:

Most filters dont take arguments. In this case, just leave the argument out of your function. Example:

Once youve written your filter definition, you need to register it with yourLibraryinstance, to make it available to Djangos template language:

TheLibrary.filter()method takes two arguments:

You can useregister.filter()as a decorator instead:

If you leave off thenameargument, as in the second example above, Django will use the functions name as the filter name.

Finally,register.filter()also accepts three keyword arguments,is_safe,needs_autoescape, andexpects_localtime. These arguments are described infilters and auto-escapingandfilters and time zonesbelow.

If youre writing a template filter that only expects a string as the first argument, you should use the decoratorstringfilter. This will convert an object to its string value before being passed to your function:

This way, youll be able to pass, say, an integer to this filter, and it wont cause anAttributeError(because integers dont havelower()methods).

When writing a custom filter, give some thought to how the filter will interact with Djangos auto-escaping behavior. Note that two types of strings can be passed around inside the template code:

Raw stringsare the native Python strings. On output, theyre escaped if auto-escaping is in effect and presented unchanged, otherwise.

Safe stringsare strings that have been marked safe from further escaping at output time. Any necessary escaping has already been done. Theyre commonly used for output that contains raw HTML that is intended to be interpreted as-is on the client side.

Internally, these strings are of typeSafeText. You can test for them using code like:

Template filter code falls into one of two situations:

Your filter does not introduce any HTML-unsafe characters (,,,or&) into the result that were not already present. In this case, you can let Django take care of all the auto-escaping handling for you. All you need to do is set theis_safeflag toTruewhen you register your filter function, like so:

This flag tells Django that if a safe string is passed into your filter, the result will still be safe and if a non-safe string is passed in, Django will automatically escape it, if necessary.

You can think of this as meaning this filter is safe it doesnt introduce any possibility of unsafe HTML.

The reasonis_safeis necessary is because there are plenty of normal string operations that will turn aSafeDataobject back into a normalstrobject and, rather than try to catch them all, which would be very difficult, Django repairs the damage after the filter has completed.

For example, suppose you have a filter that adds the stringxxto the end of any input. Since this introduces no dangerous HTML characters to the result (aside from any that were already present), you should mark your filter withis_safe:

When this filter is used in a template where auto-escaping is enabled, Django will escape the output whenever the input is not already marked as safe.

By default,is_safeisFalse, and you can omit it from any filters where it isnt required.

Be careful when deciding if your filter really does leave safe strings as safe. If youreremovingcharacters, you might inadvertently leave unbalanced HTML tags or entities in the result. For example, removing afrom the input might turnaintoa, which would need to be escaped on output to avoid causing problems. Similarly, removing a semicolon (;) can turninto&, which is no longer a valid entity and thus needs further escaping. Most cases wont be nearly this tricky, but keep an eye out for any problems like that when reviewing your code.

Marking a filteris_safewill coerce the filters return value to a string. If your filter should return a boolean or other non-string value, marking itis_safewill probably have unintended consequences (such as converting a boolean False to the string False).

Alternatively, your filter code can manually take care of any necessary escaping. This is necessary when youre introducing new HTML markup into the result. You want to mark the output as safe from further escaping so that your HTML markup isnt escaped further, so youll need to handle the input yourself.

To mark the output as a safe string, usedjango.utils.safestring.mark_safe().

Be careful, though. You need to do more than just mark the output as safe. You need to ensure it reallyissafe, and what you do depends on whether auto-escaping is in effect. The idea is to write filters that can operate in templates where auto-escaping is either on or off in order to make things easier for your template authors.

In order for your filter to know the current auto-escaping state, set theneeds_autoescapeflag toTruewhen you register your filter function. (If you dont specify this flag, it defaults toFalse). This flag tells Django that your filter function wants to be passed an extra keyword argument, calledautoescape, that isTrueif auto-escaping is in effect andFalseotherwise. It is recommended to set the default of theautoescapeparameter toTrue, so that if you call the function from Python code it will have escaping enabled by default.

For example, lets write a filter that emphasizes the first character of a string:

Theneeds_autoescapeflag and theautoescapekeyword argument mean that our function will know whether automatic escaping is in effect when the filter is called. We useautoescapeto decide whether the input data needs to be passed throughor not. (In the latter case, we just use the identity function as the escape function.) Theconditional_escape()function is likeescape()except it only escapes input that isnotaSafeDatainstance. If aSafeDatainstance is passed toconditional_escape(), the data is returned unchanged.

Finally, in the above example, we remember to mark the result as safe so that our HTML is inserted directly into the template without further escaping.

Theres no need to worry about theis_safeflag in this case (although including it wouldnt hurt anything). Whenever you manually handle the auto-escaping issues and return a safe string, theis_safeflag wont change anything either way.

Avoiding XSS vulnerabilities when reusing built-in filters

Djangos built-in filters haveautoescape=Trueby default in order to get the proper autoescaping behavior and avoid a cross-site script vulnerability.

In older versions of Django, be careful when reusing Djangos built-in filters asautoescapedefaults toNone. Youll need to passautoescape=Trueto get autoescaping.

For example, if you wanted to write a custom filter calledurlize_and_linebreaksthat combined theurlizeandlinebreaksbrfilters, the filter would look like:

If you write a custom filter that operates ondatetimeobjects, youll usually register it with theexpects_localtimeflag set toTrue:

When this flag is set, if the first argument to your filter is a time zone aware datetime, Django will convert it to the current time zone before passing it to your filter when appropriate, according torules for time zones conversions in templates.

Tags are more complex than filters, because tags can do anything. Django provides a number of shortcuts that make writing most types of tags easier. First well explore those shortcuts, then explain how to write a tag from scratch for those cases when the shortcuts arent powerful enough.

Many template tags take a number of arguments strings or template variables and return a result after doing some processing based solely on the input arguments and some external information. For example, acurrent_timetag might accept a format string and return the time as a string formatted accordingly.

To ease the creation of these types of tags, Django provides a helper function,simple_tag. This function, which is a method ofdjango.template.Library, takes a function that accepts any number of arguments, wraps it in arenderfunction and the other necessary bits mentioned above and registers it with the template system.

Ourcurrent_timefunction could thus be written like this:

A few things to note about thesimple_taghelper function:

Checking for the required number of arguments, etc., has already been done by the time our function is called, so we dont need to do that.

The quotes around the argument (if any) have already been stripped away, so we just receive a plain string.

If the argument was a template variable, our function is passed the current value of the variable, not the variable itself.

Unlike other tag utilities,simple_tagpasses its output throughconditional_escape()if the template context is in autoescape mode, to ensure correct HTML and protect you from XSS vulnerabilities.

If additional escaping is not desired, you will need to usemark_safe()if you are absolutely sure that your code does not contain XSS vulnerabilities. For building small HTML snippets, use offormat_html()instead ofmark_safe()is strongly recommended.

If your template tag needs to access the current context, you can use thetakes_contextargument when registering your tag:

Note that the first argumentmustbe calledcontext.

For more information on how thetakes_contextoption works, see the section oninclusion tags.

If you need to rename your tag, you can provide a custom name for it:

simple_tagfunctions may accept any number of positional or keyword arguments. For example:

Then in the template any number of arguments, separated by spaces, may be passed to the template tag. Like in Python, the values for keyword arguments are set using the equal sign (=) and must be provided after the positional arguments. For example:

Its possible to store the tag results in a template variable rather than directly outputting it. This is done by using theasargument followed by the variable name. Doing so enables you to output the content yourself where you see fit:

Another common type of template tag is the type that displays some data by renderinganothertemplate. For example, Djangos admin interface uses custom template tags to display the buttons along the bottom of the add/change form pages. Those buttons always look the same, but the link targets change depending on the object being edited so theyre a perfect case for using a small template that is filled with details from the current object. (In the admins case, this is thesubmit_rowtag.)

These sorts of tags are called inclusion tags.

Writing inclusion tags is probably best demonstrated by example. Lets write a tag that outputs a list of choices for a givenPollobject, such as was created in thetutorials. Well use the tag like this:

and the output will be something like this:

First, define the function that takes the argument and produces a dictionary of data for the result. The important point here is we only need to return a dictionary, not anything more complex. This will be used as a template context for the template fragment. Example:

Next, create the template used to render the tags output. This template is a fixed feature of the tag: the tag writer specifies it, not the template designer. Following our example, the template is very simple:

Now, create and register the inclusion tag by calling theinclusion_tag()method on aLibraryobject. Following our example, if the above template is in a file calledresults.htmlin a directory thats searched by the template loader, wed register the tag like this:

Alternatively it is possible to register the inclusion tag using adjango.template.Templateinstance:

Sometimes, your inclusion tags might require a large number of arguments, making it a pain for template authors to pass in all the arguments and remember their order. To solve this, Django provides atakes_contextoption for inclusion tags. If you specifytakes_contextin creating a template tag, the tag will have no required arguments, and the underlying Python function will have one argument the template context as of when the tag was called.

For example, say youre writing an inclusion tag that will always be used in a context that containshome_linkandhome_titlevariables that point back to the main page. Heres what the Python function would look like:

Note that the first parameter to the functionmustbe calledcontext.

In thatregister.inclusion_tag()line, we specifiedtakes_context=Trueand the name of the template. Heres what the templatelink.htmlmight look like:

Then, any time you want to use that custom tag, load its library and call it without any arguments, like so:

Note that when youre usingtakes_context=True, theres no need to pass arguments to the template tag. It automatically gets access to the context.

Thetakes_contextparameter defaults toFalse. When its set toTrue, the tag is passed the context object, as in this example. Thats the only difference between this case and the previousinclusion_tagexample.

inclusion_tagfunctions may accept any number of positional or keyword arguments. For example:

Then in the template any number of arguments, separated by spaces, may be passed to the template tag. Like in Python, the values for keyword arguments are set using the equal sign (=) and must be provided after the positional arguments. For example:

Sometimes the basic features for custom template tag creation arent enough. Dont worry, Django gives you complete access to the internals required to build a template tag from the ground up.

The template system works in a two-step process: compiling and rendering. To define a custom template tag, you specify how the compilation works and how the rendering works.

When Django compiles a template, it splits the raw template text into nodes. Each node is an instance ofdjango.template.Nodeand has arender()method. A compiled template is, simply, a list ofNodeobjects. When you callrender()on a compiled template object, the template callsrender()on eachNodein its node list, with the given context. The results are all concatenated together to form the output of the template.

Thus, to define a custom template tag, you specify how the raw template tag is converted into aNode(the compilation function), and what the nodesrender()method does.

For each template tag the template parser encounters, it calls a Python function with the tag contents and the parser object itself. This function is responsible for returning aNodeinstance based on the contents of the tag.

For example, lets write a full implementation of our simple template tag,%current_time%, that displays the current date/time, formatted according to a parameter given in the tag, instrftime()syntax. Its a good idea to decide the tag syntax before anything else. In our case, lets say the tag should be used like this:

The parser for this function should grab the parameter and create aNodeobject:

split_contents() knows not to split quoted strings.

tag requires a single argument

tags argument should be in quotes

is the template parser object. We dont need it in this example.

is a string of the raw contents of the tag. In our example, its

method separates the arguments on spaces while keeping quoted strings together. The more straightforward

wouldnt be as robust, as it would naively split on

spaces, including those within quoted strings. Its a good idea to always use

This function is responsible for raising


, with helpful messages, for any syntax error.

variable. Dont hard-code the tags name in your error messages, because that couples the tags name to your function.

will always be the name of your tag even when the tag has no arguments.

with everything the node needs to know about this tag. In this case, it just passes the argument

. The leading and trailing quotes from the template tag are removed in

The parsing is very low-level. The Django developers have experimented with writing small frameworks on top of this parsing system, using techniques such as EBNF grammars, but those experiments made the template engine too slow. Its low-level because thats fastest.

The second step in writing custom tags is to define aNodesubclass that has arender()method.

Continuing the above example, we need to defineCurrentTimeNode:

. Always pass any options/parameters/arguments to a

method is where the work actually happens.

should generally fail silently, particularly in a production environment. In some cases however, particularly if

, this method may raise an exception to make debugging easier. For example, several core tags raise


if they receive the wrong number or type of arguments.

Ultimately, this decoupling of compilation and rendering results in an efficient template system, because a template can render multiple contexts without having to be parsed multiple times.

The output from template tags isnotautomatically run through the auto-escaping filters (with the exception ofsimple_tag()as described above). However, there are still a couple of things you should keep in mind when writing a template tag.

If therender()function of your template stores the result in a context variable (rather than returning the result in a string), it should take care to callmark_safe()if appropriate. When the variable is ultimately rendered, it will be affected by the auto-escape setting in effect at the time, so content that should be safe from further escaping needs to be marked as such.

Also, if your template tag creates a new context for performing some sub-rendering, set the auto-escape attribute to the current contexts value. The__init__method for theContextclass takes a parameter calledautoescapethat you can use for this purpose. For example:

This is not a very common situation, but its useful if youre rendering a template yourself. For example:

If we had neglected to pass in the currentcontext.autoescapevalue to our newContextin this example, the results would havealwaysbeen automatically escaped, which may not be the desired behavior if the template tag is used inside a%autoescapeoff%block.

Once a node is parsed, itsrendermethod may be called any number of times. Since Django is sometimes run in multi-threaded environments, a single node may be simultaneously rendering with different contexts in response to two separate requests. Therefore, its important to make sure your template tags are thread safe.

To make sure your template tags are thread safe, you should never store state information on the node itself. For example, Django provides a builtincycletemplate tag that cycles among a list of given strings each time its rendered:

A naive implementation ofCycleNodemight look something like this:

But, suppose we have two templates rendering the template snippet from above at the same time:

Thread 1 performs its first loop iteration,

Thread 2 performs its first loop iteration,

Thread 1 performs its second loop iteration,

Thread 2 performs its second loop iteration,

The CycleNode is iterating, but its iterating globally. As far as Thread 1 and Thread 2 are concerned, its always returning the same value. This is obviously not what we want!

To address this problem, Django provides arender_contextthats associated with thecontextof the template that is currently being rendered. Therender_contextbehaves like a Python dictionary, and should be used to storeNodestate between invocations of therendermethod.

Lets refactor ourCycleNodeimplementation to use therender_context:

Note that its perfectly safe to store global information that will not change throughout the life of theNodeas an attribute. In the case ofCycleNode, thecyclevarsargument doesnt change after theNodeis instantiated, so we dont need to put it in therender_context. But state information that is specific to the template that is currently being rendered, like the current iteration of theCycleNode, should be stored in therender_context.

Notice how we usedselfto scope theCycleNodespecific information within therender_context. There may be multipleCycleNodesin a given template, so we need to be careful not to clobber another nodes state information. The easiest way to do this is to always useselfas the key intorender_context. If youre keeping track of several state variables, makerender_context[self]a dictionary.

Finally, register the tag with your modulesLibraryinstance, as explained inwriting custom template filtersabove. Example:

The name of the template tag a string. If this is left out, the name of the compilation function will be used.

The compilation function a Python function (not the name of the function as a string).

As with filter registration, it is also possible to use this as a decorator:

If you leave off thenameargument, as in the second example above, Django will use the functions name as the tag name.

Although you can pass any number of arguments to a template tag usingtoken.split_contents(), the arguments are all unpacked as string literals. A little more work is required in order to pass dynamic content (a template variable) to a template tag as an argument.

While the previous examples have formatted the current time into a string and returned the string, suppose you wanted to pass in aDateTimeFieldfrom an object and have the template tag format that date-time:

Initially,token.split_contents()will return three values:

Now your tag should begin to look like this:

split_contents() knows not to split quoted strings.

tag requires exactly two arguments

tags argument should be in quotes

You also have to change the renderer to retrieve the actual contents of thedate_updatedproperty of theblog_entryobject. This can be accomplished by using theVariable()class indjango.template.

To use theVariableclass, simply instantiate it with the name of the variable to be resolved, and then callvariable.resolve(context). So, for example:

Variable resolution will throw aVariableDoesNotExistexception if it cannot resolve the string passed to it in the current context of the page.

The above examples simply output a value. Generally, its more flexible if your template tags set template variables instead of outputting values. That way, template authors can reuse the values that your template tags create.

To set a variable in the context, just use dictionary assignment on the context object in therender()method. Heres an updated version ofCurrentTimeNodethat sets a template variablecurrent_timeinstead of outputting it:

Note thatrender()returns the empty string.render()should always return string output. If all the template tag does is set a variable,render()should return the empty string.

Heres how youd use this new version of the tag:

Any variable set in the context will only be available in the sameblockof the template in which it was assigned. This behavior is intentional; it provides a scope for variables so that they dont conflict with context in other blocks.

But, theres a problem withCurrentTimeNode2: The variable namecurrent_timeis hard-coded. This means youll need to make sure your template doesnt usecurrent_timeanywhere else, because the%current_time%will blindly overwrite that variables value. A cleaner solution is to make the template tag specify the name of the output variable, like so:

To do that, youll need to refactor both the compilation function andNodeclass, like so:

This version uses a regular expression to parse tag contents.

Splitting by None == splitting by spaces.

tags argument should be in quotes

The difference here is thatdo_current_time()grabs the format string and the variable name, passing both toCurrentTimeNode3.

Finally, if you only need to have a simple syntax for your custom context-updating template tag, consider using thesimple_tag()shortcut, which supports assigning the tag results to a template variable.

Template tags can work in tandem. For instance, the standard%comment%tag hides everything until%endcomment%. To create a template tag such as this, useparser.parse()in your compilation function.

Heres how a simplified%comment%tag might be implemented:

The actual implementation of%comment%is slightly different in that it allows broken template tags to appear between%comment%and%endcomment%. It does so by callingparser.skip_past(endcomment)instead ofparser.parse((endcomment,))followed byparser.delete_first_token(), thus avoiding the generation of a node list.

parser.parse()takes a tuple of names of block tags to parse until. It returns an instance ofdjango.template.NodeList, which is a list of allNodeobjects that the parser encountered before it encountered any of the tags named in the tuple.

Innodelist=parser.parse((endcomment,))in the above example,nodelistis a list of all nodes between the%comment%and%endcomment%, not counting%comment%and%endcomment%themselves.

Afterparser.parse()is called, the parser hasnt yet consumed the%endcomment%tag, so the code needs to explicitly callparser.delete_first_token().

CommentNode.render()simply returns an empty string. Anything between%comment%and%endcomment%is ignored.

In the previous example,do_comment()discarded everything between%comment%and%endcomment%. Instead of doing that, its possible to do something with the code between block tags.

For example, heres a custom template tag,%upper%, that capitalizes everything between itself and%endupper%.

As in the previous example, well useparser.parse(). But this time, we pass the resultingnodelistto theNode:

The only new concept here is theself.nodelist.render(context)inUpperNode.render().

For mor