1
0
mirror of https://github.com/django/django.git synced 2025-03-14 19:30:46 +00:00
Aymeric Augustin 3483682749 [1.7.x] Fixed #23831 -- Supported strings escaped by third-party libs in Django.
Refs #7261 -- Made strings escaped by Django usable in third-party libs.

The changes in mark_safe and mark_for_escaping are straightforward. The
more tricky part is to handle correctly objects that implement __html__.

Historically escape() has escaped SafeData. Even if that doesn't seem a
good behavior, changing it would create security concerns. Therefore
support for __html__() was only added to conditional_escape() where this
concern doesn't exist.

Then using conditional_escape() instead of escape() in the Django
template engine makes it understand data escaped by other libraries.

Template filter |escape accounts for __html__() when it's available.
|force_escape forces the use of Django's HTML escaping implementation.

Here's why the change in render_value_in_context() is safe. Before Django
1.7 conditional_escape() was implemented as follows:

    if isinstance(text, SafeData):
        return text
    else:
        return escape(text)

render_value_in_context() never called escape() on SafeData. Therefore
replacing escape() with conditional_escape() doesn't change the
autoescaping logic as it was originally intended.

This change should be backported to Django 1.7 because it corrects a
feature added in Django 1.7.

Thanks mitsuhiko for the report.

Backport of 6d52f6f from master.
2014-12-27 18:26:20 +01:00
..
2014-02-28 21:03:46 -05:00
2014-08-05 08:23:57 -04:00
2013-10-10 16:49:20 -04:00
2012-08-31 20:35:50 +02:00
2014-02-25 10:28:32 -05:00
2012-08-31 20:35:50 +02:00
2014-02-25 10:28:32 -05:00
2013-09-10 21:07:22 -04:00
2013-09-15 14:14:26 -04:00
2013-11-07 09:42:25 -05:00
2014-02-28 11:44:03 -05:00
2013-03-28 15:03:19 -05:00
2013-09-10 21:07:22 -04:00
2013-09-15 14:14:26 -04:00
2013-11-09 10:17:17 -05:00