mirror of
				https://github.com/django/django.git
				synced 2025-10-25 14:46:09 +00:00 
			
		
		
		
	Fixed #23831 -- Supported strings escaped by third-party libs in Django.
Refs #7261 -- Made strings escaped by Django usable in third-party libs. The changes in mark_safe and mark_for_escaping are straightforward. The more tricky part is to handle correctly objects that implement __html__. Historically escape() has escaped SafeData. Even if that doesn't seem a good behavior, changing it would create security concerns. Therefore support for __html__() was only added to conditional_escape() where this concern doesn't exist. Then using conditional_escape() instead of escape() in the Django template engine makes it understand data escaped by other libraries. Template filter |escape accounts for __html__() when it's available. |force_escape forces the use of Django's HTML escaping implementation. Here's why the change in render_value_in_context() is safe. Before Django 1.7 conditional_escape() was implemented as follows: if isinstance(text, SafeData): return text else: return escape(text) render_value_in_context() never called escape() on SafeData. Therefore replacing escape() with conditional_escape() doesn't change the autoescaping logic as it was originally intended. This change should be backported to Django 1.7 because it corrects a feature added in Django 1.7. Thanks mitsuhiko for the report.
This commit is contained in:
		| @@ -19,7 +19,7 @@ from django.utils.translation import ugettext_lazy, pgettext_lazy | ||||
| from django.utils.safestring import (SafeData, EscapeData, mark_safe, | ||||
|     mark_for_escaping) | ||||
| from django.utils.formats import localize | ||||
| from django.utils.html import escape | ||||
| from django.utils.html import conditional_escape | ||||
| from django.utils.module_loading import module_has_submodule | ||||
| from django.utils import six | ||||
| from django.utils.timezone import template_localtime | ||||
| @@ -887,7 +887,7 @@ def render_value_in_context(value, context): | ||||
|     value = force_text(value) | ||||
|     if ((context.autoescape and not isinstance(value, SafeData)) or | ||||
|             isinstance(value, EscapeData)): | ||||
|         return escape(value) | ||||
|         return conditional_escape(value) | ||||
|     else: | ||||
|         return value | ||||
|  | ||||
|   | ||||
| @@ -1,6 +1,6 @@ | ||||
| from django.template.base import Lexer, Parser, tag_re, NodeList, VariableNode, TemplateSyntaxError | ||||
| from django.utils.encoding import force_text | ||||
| from django.utils.html import escape | ||||
| from django.utils.html import conditional_escape | ||||
| from django.utils.safestring import SafeData, EscapeData | ||||
| from django.utils.formats import localize | ||||
| from django.utils.timezone import template_localtime | ||||
| @@ -98,6 +98,6 @@ class DebugVariableNode(VariableNode): | ||||
|                 e.django_template_source = self.source | ||||
|             raise | ||||
|         if (context.autoescape and not isinstance(output, SafeData)) or isinstance(output, EscapeData): | ||||
|             return escape(output) | ||||
|             return conditional_escape(output) | ||||
|         else: | ||||
|             return output | ||||
|   | ||||
| @@ -44,6 +44,10 @@ def escape(text): | ||||
|     """ | ||||
|     Returns the given text with ampersands, quotes and angle brackets encoded | ||||
|     for use in HTML. | ||||
|  | ||||
|     This function always escapes its input, even if it's already escaped and | ||||
|     marked as such. This may result in double-escaping. If this is a concern, | ||||
|     use conditional_escape() instead. | ||||
|     """ | ||||
|     return mark_safe(force_text(text).replace('&', '&').replace('<', '<') | ||||
|         .replace('>', '>').replace('"', '"').replace("'", ''')) | ||||
| @@ -76,6 +80,9 @@ escapejs = allow_lazy(escapejs, six.text_type, SafeText) | ||||
| def conditional_escape(text): | ||||
|     """ | ||||
|     Similar to escape(), except that it doesn't operate on pre-escaped strings. | ||||
|  | ||||
|     This function relies on the __html__ convention used both by Django's | ||||
|     SafeData class and by third-party libraries like markupsafe. | ||||
|     """ | ||||
|     if hasattr(text, '__html__'): | ||||
|         return text.__html__() | ||||
|   | ||||
| @@ -36,9 +36,9 @@ else: | ||||
| class SafeData(object): | ||||
|     def __html__(self): | ||||
|         """ | ||||
|         Returns the html representation of a string. | ||||
|         Returns the html representation of a string for interoperability. | ||||
|  | ||||
|         Allows interoperability with other template engines. | ||||
|         This allows other template engines to understand Django's SafeData. | ||||
|         """ | ||||
|         return self | ||||
|  | ||||
| @@ -121,7 +121,7 @@ def mark_safe(s): | ||||
|  | ||||
|     Can be called multiple times on a single string. | ||||
|     """ | ||||
|     if isinstance(s, SafeData): | ||||
|     if hasattr(s, '__html__'): | ||||
|         return s | ||||
|     if isinstance(s, bytes) or (isinstance(s, Promise) and s._delegate_bytes): | ||||
|         return SafeBytes(s) | ||||
| @@ -138,7 +138,7 @@ def mark_for_escaping(s): | ||||
|     Can be called multiple times on a single string (the resulting escaping is | ||||
|     only applied once). | ||||
|     """ | ||||
|     if isinstance(s, (SafeData, EscapeData)): | ||||
|     if hasattr(s, '__html__') or isinstance(s, EscapeData): | ||||
|         return s | ||||
|     if isinstance(s, bytes) or (isinstance(s, Promise) and s._delegate_bytes): | ||||
|         return EscapeBytes(s) | ||||
|   | ||||
| @@ -13,6 +13,13 @@ lazystr = lazy(force_text, six.text_type) | ||||
| lazybytes = lazy(force_bytes, bytes) | ||||
|  | ||||
|  | ||||
| class customescape(six.text_type): | ||||
|     def __html__(self): | ||||
|         # implement specific and obviously wrong escaping | ||||
|         # in order to be able to tell for sure when it runs | ||||
|         return self.replace('<', '<<').replace('>', '>>') | ||||
|  | ||||
|  | ||||
| class SafeStringTest(TestCase): | ||||
|     def assertRenderEqual(self, tpl, expected, **context): | ||||
|         context = Context(context) | ||||
| @@ -25,6 +32,14 @@ class SafeStringTest(TestCase): | ||||
|         self.assertRenderEqual('{{ s }}', 'a&b', s=s) | ||||
|         self.assertRenderEqual('{{ s|force_escape }}', 'a&b', s=s) | ||||
|  | ||||
|     def test_mark_safe_object_implementing_dunder_html(self): | ||||
|         e = customescape('<a&b>') | ||||
|         s = mark_safe(e) | ||||
|         self.assertIs(s, e) | ||||
|  | ||||
|         self.assertRenderEqual('{{ s }}', '<<a&b>>', s=s) | ||||
|         self.assertRenderEqual('{{ s|force_escape }}', '<a&b>', s=s) | ||||
|  | ||||
|     def test_mark_safe_lazy(self): | ||||
|         s = lazystr('a&b') | ||||
|         b = lazybytes(b'a&b') | ||||
| @@ -42,11 +57,25 @@ class SafeStringTest(TestCase): | ||||
|  | ||||
|         self.assertRenderEqual('{{ s }}', '<obj>', s=s) | ||||
|  | ||||
|     def test_mark_safe_result_implements_dunder_html(self): | ||||
|         self.assertEqual(mark_safe('a&b').__html__(), 'a&b') | ||||
|  | ||||
|     def test_mark_safe_lazy_result_implements_dunder_html(self): | ||||
|         self.assertEqual(mark_safe(lazystr('a&b')).__html__(), 'a&b') | ||||
|  | ||||
|     def test_mark_for_escaping(self): | ||||
|         s = mark_for_escaping('a&b') | ||||
|         self.assertRenderEqual('{{ s }}', 'a&b', s=s) | ||||
|         self.assertRenderEqual('{{ s }}', 'a&b', s=mark_for_escaping(s)) | ||||
|  | ||||
|     def test_mark_for_escaping_object_implementing_dunder_html(self): | ||||
|         e = customescape('<a&b>') | ||||
|         s = mark_for_escaping(e) | ||||
|         self.assertIs(s, e) | ||||
|  | ||||
|         self.assertRenderEqual('{{ s }}', '<<a&b>>', s=s) | ||||
|         self.assertRenderEqual('{{ s|force_escape }}', '<a&b>', s=s) | ||||
|  | ||||
|     def test_mark_for_escaping_lazy(self): | ||||
|         s = lazystr('a&b') | ||||
|         b = lazybytes(b'a&b') | ||||
| @@ -55,10 +84,6 @@ class SafeStringTest(TestCase): | ||||
|         self.assertIsInstance(mark_for_escaping(b), EscapeData) | ||||
|         self.assertRenderEqual('{% autoescape off %}{{ s }}{% endautoescape %}', 'a&b', s=mark_for_escaping(s)) | ||||
|  | ||||
|     def test_html(self): | ||||
|         s = '<h1>interop</h1>' | ||||
|         self.assertEqual(s, mark_safe(s).__html__()) | ||||
|  | ||||
|     def test_mark_for_escaping_object_implementing_dunder_str(self): | ||||
|         class Obj(object): | ||||
|             def __str__(self): | ||||
|   | ||||
		Reference in New Issue
	
	Block a user