diff options
| -rw-r--r-- | django/template/defaultfilters.py | 25 | ||||
| -rw-r--r-- | docs/templates.txt | 13 | ||||
| -rw-r--r-- | tests/regressiontests/defaultfilters/tests.py | 12 |
3 files changed, 48 insertions, 2 deletions
diff --git a/django/template/defaultfilters.py b/django/template/defaultfilters.py index ac92bef6cf..9514c92d50 100644 --- a/django/template/defaultfilters.py +++ b/django/template/defaultfilters.py @@ -43,7 +43,11 @@ def stringfilter(func): def addslashes(value): - """Adds slashes - useful for passing strings to JavaScript, for example.""" + """ + Adds slashes before quotes. Useful for escaping strings in CSV, for + example. Less useful for escaping JavaScript; use the ``escapejs`` + filter instead. + """ return value.replace('\\', '\\\\').replace('"', '\\"').replace("'", "\\'") addslashes.is_safe = True addslashes = stringfilter(addslashes) @@ -54,6 +58,25 @@ def capfirst(value): capfirst.is_safe=True capfirst = stringfilter(capfirst) +_js_escapes = ( + ('\\', '\\\\'), + ('"', '\\"'), + ("'", "\\'"), + ('\n', '\\n'), + ('\r', '\\r'), + ('\b', '\\b'), + ('\f', '\\f'), + ('\t', '\\t'), + ('\v', '\\v'), + ('</', '<\\/'), +) +def escapejs(value): + """Backslash-escapes characters for use in JavaScript strings.""" + for bad, good in _js_escapes: + value = value.replace(bad, good) + return value +escapejs = stringfilter(escapejs) + def fix_ampersands(value): """Replaces ampersands with ``&`` entities.""" from django.utils.html import fix_ampersands diff --git a/docs/templates.txt b/docs/templates.txt index e91d1b3e4c..3b38caf58b 100644 --- a/docs/templates.txt +++ b/docs/templates.txt @@ -1227,8 +1227,10 @@ Adds the arg to the value. addslashes ~~~~~~~~~~ -Adds slashes. Useful for passing strings to JavaScript, for example. +Adds slashes before quotes. Useful for escaping strings in CSV, for example. +**New in Django development version**: for escaping data in JavaScript strings, +use the `escapejs` filter instead. capfirst ~~~~~~~~ @@ -1302,6 +1304,15 @@ applied to the result will only result in one round of escaping being done. So it is safe to use this function even in auto-escaping environments. If you want multiple escaping passes to be applied, use the ``force_escape`` filter. +escapejs +~~~~~~~~ + +**New in Django development version** + +Escapes characters for use in JavaScript strings. This does *not* make the +string safe for use in HTML, but does protect you from syntax errors when using +templates to generate JavaScript/JSON. + filesizeformat ~~~~~~~~~~~~~~ diff --git a/tests/regressiontests/defaultfilters/tests.py b/tests/regressiontests/defaultfilters/tests.py index bfa03cd6e1..668ecb9d5a 100644 --- a/tests/regressiontests/defaultfilters/tests.py +++ b/tests/regressiontests/defaultfilters/tests.py @@ -49,6 +49,18 @@ u'\\\\ : backslashes, too' >>> capfirst(u'hello world') u'Hello world' +>>> escapejs(u'"double quotes" and \'single quotes\'') +u'\\"double quotes\\" and \\\'single quotes\\\'' + +>>> escapejs(ur'\ : backslashes, too') +u'\\\\ : backslashes, too' + +>>> escapejs(u'and lots of whitespace: \r\n\t\v\f\b') +u'and lots of whitespace: \\r\\n\\t\\v\\f\\b' + +>>> escapejs(ur'<script>and this</script>') +u'<script>and this<\\/script>' + >>> fix_ampersands(u'Jack & Jill & Jeroboam') u'Jack & Jill & Jeroboam' |
