Fixed #5945 -- Treat string literals in template filter arguments as safe

strings for auto-escaping purposes. git-svn-id: http://code.djangoproject.com/svn/django/trunk@6680 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2025-10-31 09:41:08 +00:00 · 2007-11-17 12:11:26 +00:00
parent 0b0ef3f0c5
commit 0928fa5566
4 changed files with 39 additions and 13 deletions
--- a/django/template/init.py
+++ b/django/template/init.py
@@ -594,7 +594,7 @@ class FilterExpression(object):
            arg_vals = []
            for lookup, arg in args:
                if not lookup:
-                    arg_vals.append(arg)
+                    arg_vals.append(mark_safe(arg))
                else:
                    arg_vals.append(arg.resolve(context))
            if getattr(func, 'needs_autoescape', False):
@@ -707,7 +707,7 @@ class Variable(object):
            # If it's wrapped with quotes (single or double), then
            # we're also dealing with a literal.
            if var[0] in "\"'" and var[0] == var[-1]:
-                self.literal = var[1:-1]
+                self.literal = mark_safe(var[1:-1])
            else:
                # Otherwise we'll set self.lookups so that resolve() knows we're
                # dealing with a bonafide variable