mirror of
https://github.com/django/django.git
synced 2024-11-18 23:44:22 +00:00
6d52f6f8e6
Refs #7261 -- Made strings escaped by Django usable in third-party libs. The changes in mark_safe and mark_for_escaping are straightforward. The more tricky part is to handle correctly objects that implement __html__. Historically escape() has escaped SafeData. Even if that doesn't seem a good behavior, changing it would create security concerns. Therefore support for __html__() was only added to conditional_escape() where this concern doesn't exist. Then using conditional_escape() instead of escape() in the Django template engine makes it understand data escaped by other libraries. Template filter |escape accounts for __html__() when it's available. |force_escape forces the use of Django's HTML escaping implementation. Here's why the change in render_value_in_context() is safe. Before Django 1.7 conditional_escape() was implemented as follows: if isinstance(text, SafeData): return text else: return escape(text) render_value_in_context() never called escape() on SafeData. Therefore replacing escape() with conditional_escape() doesn't change the autoescaping logic as it was originally intended. This change should be backported to Django 1.7 because it corrects a feature added in Django 1.7. Thanks mitsuhiko for the report. |
||
|---|---|---|
| .tx | ||
| django | ||
| docs | ||
| extras | ||
| scripts | ||
| tests | ||
| .gitattributes | ||
| .gitignore | ||
| .hgignore | ||
| AUTHORS | ||
| CONTRIBUTING.rst | ||
| INSTALL | ||
| LICENSE | ||
| MANIFEST.in | ||
| README.rst | ||
| setup.cfg | ||
| setup.py | ||
Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Thanks for checking it out. All documentation is in the "docs" directory and online at https://docs.djangoproject.com/en/stable/. If you're just getting started, here's how we recommend you read the docs: * First, read docs/intro/install.txt for instructions on installing Django. * Next, work through the tutorials in order (docs/intro/tutorial01.txt, docs/intro/tutorial02.txt, etc.). * If you want to set up an actual deployment server, read docs/howto/deployment/index.txt for instructions. * You'll probably want to read through the topical guides (in docs/topics) next; from there you can jump to the HOWTOs (in docs/howto) for specific problems, and check out the reference (docs/ref) for gory details. * See docs/README for instructions on building an HTML version of the docs. Docs are updated rigorously. If you find any problems in the docs, or think they should be clarified in any way, please take 30 seconds to fill out a ticket here: https://code.djangoproject.com/newticket To get more help: * Join the #django channel on irc.freenode.net. Lots of helpful people hang out there. Read the archives at http://django-irc-logs.com/. * Join the django-users mailing list, or read the archives, at https://groups.google.com/group/django-users. To contribute to Django: * Check out https://www.djangoproject.com/community/ for information about getting involved. To run Django's test suite: * Follow the instructions in the "Unit tests" section of docs/internals/contributing/writing-code/unit-tests.txt, published online at https://docs.djangoproject.com/en/dev/internals/contributing/writing-code/unit-tests/#running-the-unit-tests