1
0
mirror of https://github.com/django/django.git synced 2025-01-08 17:37:20 +00:00

Fixed #28902 -- Fixed password_validators_help_text_html() double escaping.

This commit is contained in:
Alvin Lindstam 2018-01-03 01:51:06 +01:00 committed by Tim Graham
parent c86e9b5847
commit 2cb6b7732d
2 changed files with 13 additions and 3 deletions

View File

@ -9,7 +9,7 @@ from django.core.exceptions import (
FieldDoesNotExist, ImproperlyConfigured, ValidationError,
)
from django.utils.functional import lazy
from django.utils.html import format_html
from django.utils.html import format_html, format_html_join
from django.utils.module_loading import import_string
from django.utils.translation import gettext as _, ngettext
@ -81,8 +81,8 @@ def _password_validators_help_text_html(password_validators=None):
in an <ul>.
"""
help_texts = password_validators_help_texts(password_validators)
help_items = [format_html('<li>{}</li>', help_text) for help_text in help_texts]
return '<ul>%s</ul>' % ''.join(help_items) if help_items else ''
help_items = format_html_join('', '<li>{}</li>', ((help_text,) for help_text in help_texts))
return format_html('<ul>{}</ul>', help_items) if help_items else ''
password_validators_help_text_html = lazy(_password_validators_help_text_html, str)

View File

@ -13,6 +13,7 @@ from django.core.exceptions import ValidationError
from django.db import models
from django.test import TestCase, override_settings
from django.test.utils import isolate_apps
from django.utils.html import conditional_escape
@override_settings(AUTH_PASSWORD_VALIDATORS=[
@ -68,6 +69,15 @@ class PasswordValidationTest(TestCase):
self.assertEqual(help_text.count('<li>'), 2)
self.assertIn('12 characters', help_text)
def test_password_validators_help_text_html_escaping(self):
class AmpersandValidator:
def get_help_text(self):
return 'Must contain &'
help_text = password_validators_help_text_html([AmpersandValidator()])
self.assertEqual(help_text, '<ul><li>Must contain &amp;</li></ul>')
# help_text is marked safe and therefore unchanged by conditional_escape().
self.assertEqual(help_text, conditional_escape(help_text))
@override_settings(AUTH_PASSWORD_VALIDATORS=[])
def test_empty_password_validator_help_text_html(self):
self.assertEqual(password_validators_help_text_html(), '')