summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJacob Kaplan-Moss <jacob@jacobian.org>2010-08-03 15:42:39 +0000
committerJacob Kaplan-Moss <jacob@jacobian.org>2010-08-03 15:42:39 +0000
commite64cdf7129c5ff9a0229d6c3fcde00079a70a4f9 (patch)
tree40c4d5634f0a0f131de2217ba9504855a7980cd9
parentf40922609f6d8558773ec5004a1f974425596c6b (diff)
Fixed #11377: the template join filter now correctly escapes the joiner, too.
Thanks, Stephen Kelly. git-svn-id: http://code.djangoproject.com/svn/django/trunk@13464 bcc190cf-cafb-0310-a4f2-bffc1f526a37
-rw-r--r--django/template/defaultfilters.py6
-rw-r--r--tests/regressiontests/templates/filters.py7
2 files changed, 9 insertions, 4 deletions
diff --git a/django/template/defaultfilters.py b/django/template/defaultfilters.py
index 4b720093b3..d8e7e91efe 100644
--- a/django/template/defaultfilters.py
+++ b/django/template/defaultfilters.py
@@ -11,9 +11,10 @@ except ImportError:
from django.template import Variable, Library
from django.conf import settings
from django.utils import formats
-from django.utils.translation import ugettext, ungettext
from django.utils.encoding import force_unicode, iri_to_uri
+from django.utils.html import conditional_escape
from django.utils.safestring import mark_safe, SafeData
+from django.utils.translation import ugettext, ungettext
register = Library()
@@ -496,10 +497,9 @@ def join(value, arg, autoescape=None):
"""
value = map(force_unicode, value)
if autoescape:
- from django.utils.html import conditional_escape
value = [conditional_escape(v) for v in value]
try:
- data = arg.join(value)
+ data = conditional_escape(arg).join(value)
except AttributeError: # fail silently but nicely
return value
return mark_safe(data)
diff --git a/tests/regressiontests/templates/filters.py b/tests/regressiontests/templates/filters.py
index 3d6284e881..d351c550b7 100644
--- a/tests/regressiontests/templates/filters.py
+++ b/tests/regressiontests/templates/filters.py
@@ -328,7 +328,12 @@ def get_filter_tests():
'join03': (r'{{ a|join:" &amp; " }}', {'a': ['alpha', 'beta & me']}, 'alpha &amp; beta &amp; me'),
'join04': (r'{% autoescape off %}{{ a|join:" &amp; " }}{% endautoescape %}', {'a': ['alpha', 'beta & me']}, 'alpha &amp; beta & me'),
-
+ # Test that joining with unsafe joiners don't result in unsafe strings (#11377)
+ 'join05': (r'{{ a|join:var }}', {'a': ['alpha', 'beta & me'], 'var': ' & '}, 'alpha &amp; beta &amp; me'),
+ 'join06': (r'{{ a|join:var }}', {'a': ['alpha', 'beta & me'], 'var': mark_safe(' & ')}, 'alpha & beta &amp; me'),
+ 'join07': (r'{{ a|join:var|lower }}', {'a': ['Alpha', 'Beta & me'], 'var': ' & ' }, 'alpha &amp; beta &amp; me'),
+ 'join08': (r'{{ a|join:var|lower }}', {'a': ['Alpha', 'Beta & me'], 'var': mark_safe(' & ')}, 'alpha & beta &amp; me'),
+
'date01': (r'{{ d|date:"m" }}', {'d': datetime(2008, 1, 1)}, '01'),
'date02': (r'{{ d|date }}', {'d': datetime(2008, 1, 1)}, 'Jan. 1, 2008'),
#Ticket 9520: Make sure |date doesn't blow up on non-dates