summaryrefslogtreecommitdiff
path: root/django/template/debug.py
diff options
context:
space:
mode:
authorAymeric Augustin <aymeric.augustin@m4x.org>2014-12-23 22:29:01 +0100
committerAymeric Augustin <aymeric.augustin@m4x.org>2014-12-27 18:02:34 +0100
commit6d52f6f8e688b5c4e70be8352eb02c05fea60e85 (patch)
tree253c8fe96adf7780790e85e8f4f0c1e8daeb5a37 /django/template/debug.py
parent5c5eb5fea4d7dcd2b0eed982021cfa8aeee2efd8 (diff)
Fixed #23831 -- Supported strings escaped by third-party libs in Django.
Refs #7261 -- Made strings escaped by Django usable in third-party libs. The changes in mark_safe and mark_for_escaping are straightforward. The more tricky part is to handle correctly objects that implement __html__. Historically escape() has escaped SafeData. Even if that doesn't seem a good behavior, changing it would create security concerns. Therefore support for __html__() was only added to conditional_escape() where this concern doesn't exist. Then using conditional_escape() instead of escape() in the Django template engine makes it understand data escaped by other libraries. Template filter |escape accounts for __html__() when it's available. |force_escape forces the use of Django's HTML escaping implementation. Here's why the change in render_value_in_context() is safe. Before Django 1.7 conditional_escape() was implemented as follows: if isinstance(text, SafeData): return text else: return escape(text) render_value_in_context() never called escape() on SafeData. Therefore replacing escape() with conditional_escape() doesn't change the autoescaping logic as it was originally intended. This change should be backported to Django 1.7 because it corrects a feature added in Django 1.7. Thanks mitsuhiko for the report.
Diffstat (limited to 'django/template/debug.py')
-rw-r--r--django/template/debug.py4
1 files changed, 2 insertions, 2 deletions
diff --git a/django/template/debug.py b/django/template/debug.py
index cf9c2a59fc..465d7ff926 100644
--- a/django/template/debug.py
+++ b/django/template/debug.py
@@ -1,6 +1,6 @@
from django.template.base import Lexer, Parser, tag_re, NodeList, VariableNode, TemplateSyntaxError
from django.utils.encoding import force_text
-from django.utils.html import escape
+from django.utils.html import conditional_escape
from django.utils.safestring import SafeData, EscapeData
from django.utils.formats import localize
from django.utils.timezone import template_localtime
@@ -98,6 +98,6 @@ class DebugVariableNode(VariableNode):
e.django_template_source = self.source
raise
if (context.autoescape and not isinstance(output, SafeData)) or isinstance(output, EscapeData):
- return escape(output)
+ return conditional_escape(output)
else:
return output