Refs #7261 -- Made strings escaped by Django usable in third-party libs.
The changes in mark_safe and mark_for_escaping are straightforward. The
more tricky part is to handle correctly objects that implement __html__.
Historically escape() has escaped SafeData. Even if that doesn't seem a
good behavior, changing it would create security concerns. Therefore
support for __html__() was only added to conditional_escape() where this
concern doesn't exist.
Then using conditional_escape() instead of escape() in the Django
template engine makes it understand data escaped by other libraries.
Template filter |escape accounts for __html__() when it's available.
|force_escape forces the use of Django's HTML escaping implementation.
Here's why the change in render_value_in_context() is safe. Before Django
1.7 conditional_escape() was implemented as follows:
if isinstance(text, SafeData):
return text
else:
return escape(text)
render_value_in_context() never called escape() on SafeData. Therefore
replacing escape() with conditional_escape() doesn't change the
autoescaping logic as it was originally intended.
This change should be backported to Django 1.7 because it corrects a
feature added in Django 1.7.
Thanks mitsuhiko for the report.
Backport of 6d52f6f from master.
mark_safe and mark_for_escaping should have been kept similar.
On Python 2 this change has no effect. On Python 3 it fixes the use case
shown in the regression test for mark_for_escaping, which used to raise
a TypeError. The regression test for mark_safe is just for completeness.
Backport of 5c5eb5fe from master.
The migrations autodetector now issues AlterModelOptions operations for
Meta.managed changes instead of DeleteModel + CreateModel.
Thanks iambibhas for the report and Simon and Markus for review.
Backport of 061caa5b386681dc7bdef16918873043224a299c from master
Refs #24007. Thanks Tim Graham for his help with the patch.
Backport of 1d9fc5caa947ff4ee72180185e91a9a145171712 and
995be4a1375340a53668dd80444756d77302000d from master
The failure was introduced in dd1ea70779adff294140eddb0229c382e12f32f3.
The tests wouldn't start due to a "Dependency on unknown app" error.
Backport of b8cc5f3cd4c70518dceb894edf9717abff79f0b4 from master
Previous algo only worked if the first item was a part of the loop,
and you would get an infinite loop otherwise (see test).
To fix this, it was much easier to do a pre-pass.
A bonus is that you now get an error message that actually helps you debug
the dependency problem.
Backport of ff3d746e8d8e8fbe6de287bd0f4c3a9fa23c18dc from master, with
additional tests from c5def493d0993d65bf7d96f0a204006cbeaa6178
This change allows dynamically created inlines "Add related" button to work
correcly as long as their associated foreign key is pointing to the primary
key of the related model.
Thanks to amorce for the report, Julien Phalip for the initial patch,
and Collin Anderson for the review.
Backport of f9c4e14aeca7df79991bca8ac2d743953cbd095c from master
Also added a unit test wit the simpler syntax which we have documented,
where the dictionary values are strings.
Backport of 5b26a014a81ba0d404d46e11d2b45c01d92b97e5 from master
Added relabeled_clone() method to sql.Query to fix the problem. It
manifested itself in rare cases where at least double nested subquery's
filter condition might target non-existing alias.
Thanks to Trac alias ris for reporting the problem.
Backport of 5c481db29572a387651681b43d5d4523f96b3793 from master
Custom form fields having a `queryset` attribute but no
`limit_choices_to` could no longer be used in ModelForms.
Refs #2445.
Thanks to artscoop for the report.
Backport of bfb11b95626f39e2f5e18d97d7761c6f93dcc1a9 from master.
Conflicts:
django/forms/fields.py
Fixed issue with warning message displayed for unbound naive datetime
objects when USE_TZ is True. Adds unit test that demonstrates the issue
(discoverable when using a custom lookup in MySQL).
Backport of ceb1ffcc8d from master.
Conflicts:
tests/custom_lookups/tests.py
