mirror of
https://github.com/django/django.git
synced 2024-12-23 01:25:58 +00:00
6d52f6f8e6
Refs #7261 -- Made strings escaped by Django usable in third-party libs. The changes in mark_safe and mark_for_escaping are straightforward. The more tricky part is to handle correctly objects that implement __html__. Historically escape() has escaped SafeData. Even if that doesn't seem a good behavior, changing it would create security concerns. Therefore support for __html__() was only added to conditional_escape() where this concern doesn't exist. Then using conditional_escape() instead of escape() in the Django template engine makes it understand data escaped by other libraries. Template filter |escape accounts for __html__() when it's available. |force_escape forces the use of Django's HTML escaping implementation. Here's why the change in render_value_in_context() is safe. Before Django 1.7 conditional_escape() was implemented as follows: if isinstance(text, SafeData): return text else: return escape(text) render_value_in_context() never called escape() on SafeData. Therefore replacing escape() with conditional_escape() doesn't change the autoescaping logic as it was originally intended. This change should be backported to Django 1.7 because it corrects a feature added in Django 1.7. Thanks mitsuhiko for the report. |
||
---|---|---|
.. | ||
archives | ||
eggs | ||
files | ||
locale/nl/LC_MESSAGES | ||
test_module | ||
__init__.py | ||
models.py | ||
test_archive.py | ||
test_autoreload.py | ||
test_baseconv.py | ||
test_checksums.py | ||
test_crypto.py | ||
test_datastructures.py | ||
test_dateformat.py | ||
test_dateparse.py | ||
test_datetime_safe.py | ||
test_decorators.py | ||
test_duration.py | ||
test_encoding.py | ||
test_feedgenerator.py | ||
test_functional.py | ||
test_html.py | ||
test_http.py | ||
test_ipv6.py | ||
test_itercompat.py | ||
test_jslex.py | ||
test_lazyobject.py | ||
test_lorem_ipsum.py | ||
test_module_loading.py | ||
test_no_submodule.py | ||
test_numberformat.py | ||
test_os_utils.py | ||
test_regex_helper.py | ||
test_safestring.py | ||
test_simplelazyobject.py | ||
test_termcolors.py | ||
test_text.py | ||
test_timesince.py | ||
test_timezone.py | ||
test_tree.py | ||
test_tzinfo.py |