mirror of https://github.com/django/django.git
Fixed #11377: the template join filter now correctly escapes the joiner, too.
Thanks, Stephen Kelly. git-svn-id: http://code.djangoproject.com/svn/django/trunk@13464 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
parent
f40922609f
commit
e64cdf7129
|
@ -11,9 +11,10 @@ except ImportError:
|
|||
from django.template import Variable, Library
|
||||
from django.conf import settings
|
||||
from django.utils import formats
|
||||
from django.utils.translation import ugettext, ungettext
|
||||
from django.utils.encoding import force_unicode, iri_to_uri
|
||||
from django.utils.html import conditional_escape
|
||||
from django.utils.safestring import mark_safe, SafeData
|
||||
from django.utils.translation import ugettext, ungettext
|
||||
|
||||
register = Library()
|
||||
|
||||
|
@ -496,10 +497,9 @@ def join(value, arg, autoescape=None):
|
|||
"""
|
||||
value = map(force_unicode, value)
|
||||
if autoescape:
|
||||
from django.utils.html import conditional_escape
|
||||
value = [conditional_escape(v) for v in value]
|
||||
try:
|
||||
data = arg.join(value)
|
||||
data = conditional_escape(arg).join(value)
|
||||
except AttributeError: # fail silently but nicely
|
||||
return value
|
||||
return mark_safe(data)
|
||||
|
|
|
@ -328,7 +328,12 @@ def get_filter_tests():
|
|||
'join03': (r'{{ a|join:" & " }}', {'a': ['alpha', 'beta & me']}, 'alpha & beta & me'),
|
||||
'join04': (r'{% autoescape off %}{{ a|join:" & " }}{% endautoescape %}', {'a': ['alpha', 'beta & me']}, 'alpha & beta & me'),
|
||||
|
||||
|
||||
# Test that joining with unsafe joiners don't result in unsafe strings (#11377)
|
||||
'join05': (r'{{ a|join:var }}', {'a': ['alpha', 'beta & me'], 'var': ' & '}, 'alpha & beta & me'),
|
||||
'join06': (r'{{ a|join:var }}', {'a': ['alpha', 'beta & me'], 'var': mark_safe(' & ')}, 'alpha & beta & me'),
|
||||
'join07': (r'{{ a|join:var|lower }}', {'a': ['Alpha', 'Beta & me'], 'var': ' & ' }, 'alpha & beta & me'),
|
||||
'join08': (r'{{ a|join:var|lower }}', {'a': ['Alpha', 'Beta & me'], 'var': mark_safe(' & ')}, 'alpha & beta & me'),
|
||||
|
||||
'date01': (r'{{ d|date:"m" }}', {'d': datetime(2008, 1, 1)}, '01'),
|
||||
'date02': (r'{{ d|date }}', {'d': datetime(2008, 1, 1)}, 'Jan. 1, 2008'),
|
||||
#Ticket 9520: Make sure |date doesn't blow up on non-dates
|
||||
|
|
Loading…
Reference in New Issue