1. Michael Bayer
  2. sqlalchemy
  3. Issues


Issue #2694 resolved

Autoescaping startswith

Marcin Kasperski
created an issue

Current implementation of .startswith filter does not escape _ and % characters, so they match any character/any character sequence. This is rather unexpected (at least the fact that .startswith("a_b") finds "a/b" was fairly surprising for me) and requires users to manually escape parameters. See http://pastebin.com/qsCjybMz for short script which illustrates current behaviour.

It would be nice to have .startswith which automatically escapes parameter. As in #1169 I was warned that current default must be kept, and introducing new name is not very aestethic, I would suggest new parameter, for example

    .startswith("a_b", autoescape=True)

(SQLAlchemy escapes string using whatever character is best and safest for given db backend) and

    .startswith("a_b", autoescape='#')

(SQLAlchemy uses given escape character)

Note: I am not sure whether/what should be done in case we .startswith(dbcolumn)

Note 2: startswith docs could really mention (current) escape param, (current) % and _ active behaviour and (implemented here) new param.

Comments (10)

  1. Log in to comment