1
0
mirror of https://github.com/django/django.git synced 2024-12-23 01:25:58 +00:00
django/tests/utils_tests
Aymeric Augustin 6d52f6f8e6 Fixed #23831 -- Supported strings escaped by third-party libs in Django.
Refs #7261 -- Made strings escaped by Django usable in third-party libs.

The changes in mark_safe and mark_for_escaping are straightforward. The
more tricky part is to handle correctly objects that implement __html__.

Historically escape() has escaped SafeData. Even if that doesn't seem a
good behavior, changing it would create security concerns. Therefore
support for __html__() was only added to conditional_escape() where this
concern doesn't exist.

Then using conditional_escape() instead of escape() in the Django
template engine makes it understand data escaped by other libraries.

Template filter |escape accounts for __html__() when it's available.
|force_escape forces the use of Django's HTML escaping implementation.

Here's why the change in render_value_in_context() is safe. Before Django
1.7 conditional_escape() was implemented as follows:

    if isinstance(text, SafeData):
        return text
    else:
        return escape(text)

render_value_in_context() never called escape() on SafeData. Therefore
replacing escape() with conditional_escape() doesn't change the
autoescaping logic as it was originally intended.

This change should be backported to Django 1.7 because it corrects a
feature added in Django 1.7.

Thanks mitsuhiko for the report.
2014-12-27 18:02:34 +01:00
..
archives
eggs
files
locale/nl/LC_MESSAGES
test_module
__init__.py
models.py
test_archive.py
test_autoreload.py
test_baseconv.py Fixed #23812 -- Changed django.utils.six.moves.xrange imports to range 2014-12-13 12:45:58 -05:00
test_checksums.py
test_crypto.py
test_datastructures.py
test_dateformat.py
test_dateparse.py Fixed #2443 -- Added DurationField. 2014-12-20 18:28:29 +00:00
test_datetime_safe.py Fixed #23998 -- Added datetime.time support to migrations questioner. 2014-12-22 07:24:54 -05:00
test_decorators.py
test_duration.py Fixed #2443 -- Added DurationField. 2014-12-20 18:28:29 +00:00
test_encoding.py
test_feedgenerator.py
test_functional.py Fixed #23346 -- Fixed lazy() to lookup methods on the real object, not resultclasses. 2014-12-26 11:30:34 -05:00
test_html.py Removed redundant numbered parameters from str.format(). 2014-12-03 14:27:38 -05:00
test_http.py
test_ipv6.py
test_itercompat.py
test_jslex.py
test_lazyobject.py
test_lorem_ipsum.py
test_module_loading.py
test_no_submodule.py
test_numberformat.py Removed redundant numbered parameters from str.format(). 2014-12-03 14:27:38 -05:00
test_os_utils.py Removed redundant numbered parameters from str.format(). 2014-12-03 14:27:38 -05:00
test_regex_helper.py
test_safestring.py Fixed #23831 -- Supported strings escaped by third-party libs in Django. 2014-12-27 18:02:34 +01:00
test_simplelazyobject.py
test_termcolors.py
test_text.py Refs #23947 -- Worked around a bug in Python that prevents deprecation warnings from appearing in tests. 2014-12-06 14:46:01 -05:00
test_timesince.py
test_timezone.py
test_tree.py
test_tzinfo.py