mirror of
				https://github.com/django/django.git
				synced 2025-10-24 22:26:08 +00:00 
			
		
		
		
	Refs #7261 -- Made strings escaped by Django usable in third-party libs.
The changes in mark_safe and mark_for_escaping are straightforward. The
more tricky part is to handle correctly objects that implement __html__.
Historically escape() has escaped SafeData. Even if that doesn't seem a
good behavior, changing it would create security concerns. Therefore
support for __html__() was only added to conditional_escape() where this
concern doesn't exist.
Then using conditional_escape() instead of escape() in the Django
template engine makes it understand data escaped by other libraries.
Template filter |escape accounts for __html__() when it's available.
|force_escape forces the use of Django's HTML escaping implementation.
Here's why the change in render_value_in_context() is safe. Before Django
1.7 conditional_escape() was implemented as follows:
    if isinstance(text, SafeData):
        return text
    else:
        return escape(text)
render_value_in_context() never called escape() on SafeData. Therefore
replacing escape() with conditional_escape() doesn't change the
autoescaping logic as it was originally intended.
This change should be backported to Django 1.7 because it corrects a
feature added in Django 1.7.
Thanks mitsuhiko for the report.
Backport of 6d52f6f from master.
		
	
		
			
				
	
	
		
			93 lines
		
	
	
		
			3.1 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
			
		
		
	
	
			93 lines
		
	
	
		
			3.1 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
| from __future__ import unicode_literals
 | |
| 
 | |
| from django.template import Template, Context
 | |
| from django.test import TestCase
 | |
| from django.utils.encoding import force_text, force_bytes
 | |
| from django.utils.functional import lazy
 | |
| from django.utils.safestring import mark_safe, mark_for_escaping, SafeData, EscapeData
 | |
| from django.utils import six
 | |
| 
 | |
| lazystr = lazy(force_text, six.text_type)
 | |
| lazybytes = lazy(force_bytes, bytes)
 | |
| 
 | |
| 
 | |
| class customescape(six.text_type):
 | |
|     def __html__(self):
 | |
|         # implement specific and obviously wrong escaping
 | |
|         # in order to be able to tell for sure when it runs
 | |
|         return self.replace('<', '<<').replace('>', '>>')
 | |
| 
 | |
| 
 | |
| class SafeStringTest(TestCase):
 | |
|     def assertRenderEqual(self, tpl, expected, **context):
 | |
|         context = Context(context)
 | |
|         tpl = Template(tpl)
 | |
|         self.assertEqual(tpl.render(context), expected)
 | |
| 
 | |
|     def test_mark_safe(self):
 | |
|         s = mark_safe('a&b')
 | |
| 
 | |
|         self.assertRenderEqual('{{ s }}', 'a&b', s=s)
 | |
|         self.assertRenderEqual('{{ s|force_escape }}', 'a&b', s=s)
 | |
| 
 | |
|     def test_mark_safe_object_implementing_dunder_html(self):
 | |
|         e = customescape('<a&b>')
 | |
|         s = mark_safe(e)
 | |
|         self.assertIs(s, e)
 | |
| 
 | |
|         self.assertRenderEqual('{{ s }}', '<<a&b>>', s=s)
 | |
|         self.assertRenderEqual('{{ s|force_escape }}', '<a&b>', s=s)
 | |
| 
 | |
|     def test_mark_safe_lazy(self):
 | |
|         s = lazystr('a&b')
 | |
|         b = lazybytes(b'a&b')
 | |
| 
 | |
|         self.assertIsInstance(mark_safe(s), SafeData)
 | |
|         self.assertIsInstance(mark_safe(b), SafeData)
 | |
|         self.assertRenderEqual('{{ s }}', 'a&b', s=mark_safe(s))
 | |
| 
 | |
|     def test_mark_safe_object_implementing_dunder_str(self):
 | |
|         class Obj(object):
 | |
|             def __str__(self):
 | |
|                 return '<obj>'
 | |
| 
 | |
|         s = mark_safe(Obj())
 | |
| 
 | |
|         self.assertRenderEqual('{{ s }}', '<obj>', s=s)
 | |
| 
 | |
|     def test_mark_safe_result_implements_dunder_html(self):
 | |
|         self.assertEqual(mark_safe('a&b').__html__(), 'a&b')
 | |
| 
 | |
|     def test_mark_safe_lazy_result_implements_dunder_html(self):
 | |
|         self.assertEqual(mark_safe(lazystr('a&b')).__html__(), 'a&b')
 | |
| 
 | |
|     def test_mark_for_escaping(self):
 | |
|         s = mark_for_escaping('a&b')
 | |
|         self.assertRenderEqual('{{ s }}', 'a&b', s=s)
 | |
|         self.assertRenderEqual('{{ s }}', 'a&b', s=mark_for_escaping(s))
 | |
| 
 | |
|     def test_mark_for_escaping_object_implementing_dunder_html(self):
 | |
|         e = customescape('<a&b>')
 | |
|         s = mark_for_escaping(e)
 | |
|         self.assertIs(s, e)
 | |
| 
 | |
|         self.assertRenderEqual('{{ s }}', '<<a&b>>', s=s)
 | |
|         self.assertRenderEqual('{{ s|force_escape }}', '<a&b>', s=s)
 | |
| 
 | |
|     def test_mark_for_escaping_lazy(self):
 | |
|         s = lazystr('a&b')
 | |
|         b = lazybytes(b'a&b')
 | |
| 
 | |
|         self.assertIsInstance(mark_for_escaping(s), EscapeData)
 | |
|         self.assertIsInstance(mark_for_escaping(b), EscapeData)
 | |
|         self.assertRenderEqual('{% autoescape off %}{{ s }}{% endautoescape %}', 'a&b', s=mark_for_escaping(s))
 | |
| 
 | |
|     def test_mark_for_escaping_object_implementing_dunder_str(self):
 | |
|         class Obj(object):
 | |
|             def __str__(self):
 | |
|                 return '<obj>'
 | |
| 
 | |
|         s = mark_for_escaping(Obj())
 | |
| 
 | |
|         self.assertRenderEqual('{{ s }}', '<obj>', s=s)
 |