| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2015-03-27 | [1.8.x] Fixed #24469 -- Refined escaping of Django's form elements in ↵ | Moritz Sichert | |
| non-Django templates. Backport of 1f2abf784a9fe550959de242d91963b2ad6f7e9c from master | |||
| 2015-03-18 | [1.8.x] Fixed an infinite loop possibility in strip_tags(). | Tim Graham | |
| This is a security fix; disclosure to follow shortly. | |||
| 2015-03-10 | [1.8.x] Fixed escaping regression in urlize filter. | Tim Graham | |
| Now that the URL is always unescaped as of refs #22267, we should re-escape it before inserting it into the anchor. Backport of 7b1a67cce52e5c191fbfa1bca501c6f0222db019 from master | |||
| 2015-03-06 | [1.8.x] Fixed urlize regression with entities in query strings | Claude Paroz | |
| Refs #22267. Thanks Shai Berger for spotting the issue and Tim Graham for the initial patch. Backport of ec808e807 from master. | |||
| 2015-02-09 | [1.8.x] Sorted imports with isort; refs #23860. | Tim Graham | |
| Backport of 0ed7d155635da9f79d4dd67e4889087d3673c6da from master | |||
| 2014-12-27 | Fixed #23831 -- Supported strings escaped by third-party libs in Django. | Aymeric Augustin | |
| Refs #7261 -- Made strings escaped by Django usable in third-party libs. The changes in mark_safe and mark_for_escaping are straightforward. The more tricky part is to handle correctly objects that implement __html__. Historically escape() has escaped SafeData. Even if that doesn't seem a good behavior, changing it would create security concerns. Therefore support for __html__() was only added to conditional_escape() where this concern doesn't exist. Then using conditional_escape() instead of escape() in the Django template engine makes it understand data escaped by other libraries. Template filter |escape accounts for __html__() when it's available. |force_escape forces the use of Django's HTML escaping implementation. Here's why the change in render_value_in_context() is safe. Before Django 1.7 conditional_escape() was implemented as follows: if isinstance(text, SafeData): return text else: return escape(text) render_value_in_context() never called escape() on SafeData. Therefore replacing escape() with conditional_escape() doesn't change the autoescaping logic as it was originally intended. This change should be backported to Django 1.7 because it corrects a feature added in Django 1.7. Thanks mitsuhiko for the report. | |||
| 2014-12-08 | Fixed #23968 -- Replaced list comprehension with generators and dict ↵ | Jon Dufresne | |
| comprehension | |||
| 2014-12-03 | Removed redundant numbered parameters from str.format(). | Berker Peksag | |
| Since Python 2.7 and 3.1, "{0} {1}" is equivalent to "{} {}". | |||
| 2014-10-31 | Fixed #23715 -- Prevented urlize from treating a trailing ! as part of an URL | Markus Holtermann | |
| Thanks to 57even for the report. | |||
| 2014-10-20 | Fixed #20221 -- Allowed some functions that use mark_safe() to result in ↵ | Jon Dufresne | |
| SafeText. Thanks Baptiste Mispelon for the report. | |||
| 2014-09-09 | Fixed flake8 warnings. | Tim Graham | |
| 2014-09-09 | Fixed urlize after smart_urlquote rewrite | Claude Paroz | |
| Refs #22267. | |||
| 2014-09-09 | Fixed #22267 -- Fixed unquote/quote in smart_urlquote | Claude Paroz | |
| Thanks Md. Enzam Hossain for the report and initial patch, and Tim Graham for the review. | |||
| 2014-09-05 | Limited lines to 119 characters in django/ | Tim Graham | |
| refs #23395. | |||
| 2014-08-15 | Fixed #23269 -- Deprecated django.utils.remove_tags() and removetags filter. | Tim Graham | |
| Also the unused, undocumented django.utils.html.strip_entities() function. | |||
| 2014-07-09 | Fixed #22223 -- Prevented over-escaping URLs in reverse() | Claude Paroz | |
| And follow more closely the class of characters defined in the RFC 3986. Thanks Erik van Zijst for the report and the initial patch, and Tim Graham for the review. | |||
| 2014-07-04 | Updated urlize regex following a93ee5112d4 | LarryBrid | |
| Prevent urlize from turning some.organization, an.intern etc. into urls. Refs #22941. | |||
| 2014-07-02 | Fixed #22941 - Added support for domain-only links with chars after the TLD ↵ | LarryBrid | |
| to urlize. It now works with something like google.com/foo/bar | |||
| 2014-04-03 | Refactored and commented strip_tags utility | Tomasz Wysocki | |
| 2014-03-30 | Corrected many style guide violations that the newest version of flake8 catches | Alex Gaynor | |
| 2014-03-27 | Fixed a deprecation warning with the HTMLParser safe argument. | Tim Graham | |
| refs 6ca6c36f82b97eafeada61384b2e2f1d0587da86 | |||
| 2014-03-22 | Removed an unused variable. | Alex Gaynor | |
| 2014-03-22 | Improved strip_tags and clarified documentation | Claude Paroz | |
| The fact that strip_tags cannot guarantee to really strip all non-safe HTML content was not clear enough. Also see: https://www.djangoproject.com/weblog/2014/mar/22/strip-tags-advisory/ | |||
| 2014-03-21 | Removed fix_ampersands template filter per deprecation timeline. | Tim Graham | |
| Also removed related utility functions: * django.utils.html.fix_ampersands * django.utils.html.clean_html | |||
| 2014-03-08 | Fixed #21188 -- Introduced subclasses for to-be-removed-in-django-XX warnings | Claude Paroz | |
| Thanks Anssi Kääriäinen for the idea and Simon Charette for the review. | |||
| 2014-03-03 | Fixed many typos in comments and docstrings. | Rodolfo Carvalho | |
| Thanks Piotr Kasprzyk for help with the patch. | |||
| 2014-03-01 | Fixed #22130 -- Deprecated fix_ampersands, removed utils.clean_html() | Erik Romijn | |
| 2013-12-16 | Removed unnecessary function-level import. | Baptiste Mispelon | |
| 2013-12-16 | Removed unnecessary call to force_text in utils.html.clean_html. | Vajrasky Kok | |
| Refs #21574 | |||
| 2013-12-14 | Fixed E127 pep8 warnings. | Loic Bistuer | |
| 2013-11-28 | Fixed E125 pep8 warnings | Christopher Medrela | |
| 2013-11-02 | Correct flake8 E302 violations | Ray Ashman Jr | |
| 2013-11-02 | More attacking E302 violators | Alex Gaynor | |
| 2013-11-02 | Correct flake8 violation E261 | Ray Ashman Jr | |
| 2013-10-23 | Fixed #21298 -- Fixed E301 pep8 warnings | Alasdair Nicol | |
| 2013-10-21 | Fixed #21288 -- Fixed E126 pep8 warnings | Alasdair Nicol | |
| 2013-10-15 | Fixed #7261 -- support for __html__ for library interoperability | Unai Zalakain | |
| The idea is that if an object implements __html__ which returns a string this is used as HTML representation (eg: on escaping). If the object is a str or unicode subclass and returns itself the object is a safe string type. This is an updated patch based on jbalogh and ivank patches. | |||
| 2013-09-25 | Fixed #20364 -- Changed urlize regexes to include quotation marks as punctation. | Giles Richard Greenway | |
| Thanks to EmilStenstrom for raising this, and to Chris Piwoński for all of the fixes and most of the tests. | |||
| 2013-09-06 | Fixed a number of flake8 errors -- particularly around unused imports and ↵ | Alex Gaynor | |
| local variables | |||
| 2013-09-05 | Took advantage of django.utils.six.moves.urllib.*. | Aymeric Augustin | |
| 2013-08-30 | Fixed #20989 -- Removed useless explicit list comprehensions. | Simon Charette | |
| 2013-07-28 | Simplified smart_urlquote and added some basic tests. | Florian Apolloner | |
| 2013-06-19 | Removed several unused imports. | Aymeric Augustin | |
| 2013-05-23 | Fixed #19237 (again) - Made strip_tags consistent between Python versions | Claude Paroz | |
| 2013-05-22 | Fixed #19237 -- Used HTML parser to strip tags | Claude Paroz | |
| The regex method used until now for the strip_tags utility is fast, but subject to flaws and security issues. Consensus and good practice lead use to use a slower but safer method. | |||
| 2013-05-18 | Fixed #20246 -- Added non-breaking spaces between values an units | Emil Stenström | |
| 2013-05-17 | Replaced an antiquated pattern. | Aymeric Augustin | |
| Thanks Lennart Regebro for pointing it out. | |||
| 2013-04-01 | Fixed #20172 -- Ensured urlize supports IPv4/IPv6 addresses | Claude Paroz | |
| Thanks Marc Aymerich for the report and the initial patch. | |||
| 2013-02-06 | Improved regex in strip_tags | Claude Paroz | |
| Thanks Pablo Recio for the report. Refs #19237. | |||
| 2013-01-25 | Fixed #19577 - Added HTML escaping to admin examples. | Tim Graham | |
| Thanks foo@ for the report and Florian Apolloner for the review. | |||
