django.git/django/utils/html.py, branch 1.8.10

django.git/django/utils/html.py, branch 1.8.10 django http://cgit.adnoto.dev/django.git/atom?h=1.8.10 2015-06-23T11:22:16Z [1.8.x] Renamed RemovedInDjango20Warning to RemovedInDjango110Warning. 2015-06-23T11:22:16Z Tim Graham timograham@gmail.com 2015-06-22T17:54:35Z urn:sha1:ae1d663b7913f6da233c55409c4973248372d302 [1.8.x] Fixed flake8 warnings on Python 3. 2015-06-15T17:01:41Z Tim Graham timograham@gmail.com 2015-06-15T14:37:14Z urn:sha1:062ce508b0edcb3a2e801d7959e08207bd8d2a1e Backport of 47fcbe506c04019a12e16221843e25a52249b1ab from master [1.8.x] Fixed #24469 -- Refined escaping of Django's form elements in non-Django templates. 2015-03-28T00:01:41Z Moritz Sichert moritz.sichert@googlemail.com 2015-03-18T20:42:59Z urn:sha1:44a05a8a912596c44f37f050dcde85b45827b3b6 Backport of 1f2abf784a9fe550959de242d91963b2ad6f7e9c from master [1.8.x] Fixed an infinite loop possibility in strip_tags(). 2015-03-18T23:23:21Z Tim Graham timograham@gmail.com 2015-03-04T13:11:25Z urn:sha1:5447709a571cd5d95971f1d5d21d4a7edcf85bbd This is a security fix; disclosure to follow shortly. [1.8.x] Fixed escaping regression in urlize filter. 2015-03-10T23:12:20Z Tim Graham timograham@gmail.com 2015-03-10T22:40:33Z urn:sha1:aba74d6f1e221c10be2798f55971d710521cb404 Now that the URL is always unescaped as of refs #22267, we should re-escape it before inserting it into the anchor. Backport of 7b1a67cce52e5c191fbfa1bca501c6f0222db019 from master [1.8.x] Fixed urlize regression with entities in query strings 2015-03-06T21:22:51Z Claude Paroz claude@2xlibre.net 2015-03-06T20:56:11Z urn:sha1:ac07890f959c467b3fc9c6dd6d36aafc2eff1fcc Refs #22267. Thanks Shai Berger for spotting the issue and Tim Graham for the initial patch. Backport of ec808e807 from master. [1.8.x] Sorted imports with isort; refs #23860. 2015-02-09T19:24:06Z Tim Graham timograham@gmail.com 2015-02-09T18:19:34Z urn:sha1:a8b70d251d238b4e6cfc7bb4296da15494f8dff3 Backport of 0ed7d155635da9f79d4dd67e4889087d3673c6da from master Fixed #23831 -- Supported strings escaped by third-party libs in Django. 2014-12-27T17:02:34Z Aymeric Augustin aymeric.augustin@m4x.org 2014-12-23T21:29:01Z urn:sha1:6d52f6f8e688b5c4e70be8352eb02c05fea60e85 Refs #7261 -- Made strings escaped by Django usable in third-party libs. The changes in mark_safe and mark_for_escaping are straightforward. The more tricky part is to handle correctly objects that implement __html__. Historically escape() has escaped SafeData. Even if that doesn't seem a good behavior, changing it would create security concerns. Therefore support for __html__() was only added to conditional_escape() where this concern doesn't exist. Then using conditional_escape() instead of escape() in the Django template engine makes it understand data escaped by other libraries. Template filter |escape accounts for __html__() when it's available. |force_escape forces the use of Django's HTML escaping implementation. Here's why the change in render_value_in_context() is safe. Before Django 1.7 conditional_escape() was implemented as follows: if isinstance(text, SafeData): return text else: return escape(text) render_value_in_context() never called escape() on SafeData. Therefore replacing escape() with conditional_escape() doesn't change the autoescaping logic as it was originally intended. This change should be backported to Django 1.7 because it corrects a feature added in Django 1.7. Thanks mitsuhiko for the report. Fixed #23968 -- Replaced list comprehension with generators and dict comprehension 2014-12-08T12:58:23Z Jon Dufresne jon.dufresne@gmail.com 2014-12-06T21:00:09Z urn:sha1:4468c08d70b5b722f3ebd4872909e56580ec7d68 Removed redundant numbered parameters from str.format(). 2014-12-03T19:27:38Z Berker Peksag berker.peksag@gmail.com 2014-11-27T00:41:27Z urn:sha1:560b4207b1490a7d0cbf70cfbeba7daf2082e5be Since Python 2.7 and 3.1, "{0} {1}" is equivalent to "{} {}".