summaryrefslogtreecommitdiff
path: root/django/utils/html.py
AgeCommit message (Collapse)Author
2015-03-27[1.8.x] Fixed #24469 -- Refined escaping of Django's form elements in ↵Moritz Sichert
non-Django templates. Backport of 1f2abf784a9fe550959de242d91963b2ad6f7e9c from master
2015-03-18[1.8.x] Fixed an infinite loop possibility in strip_tags().Tim Graham
This is a security fix; disclosure to follow shortly.
2015-03-10[1.8.x] Fixed escaping regression in urlize filter.Tim Graham
Now that the URL is always unescaped as of refs #22267, we should re-escape it before inserting it into the anchor. Backport of 7b1a67cce52e5c191fbfa1bca501c6f0222db019 from master
2015-03-06[1.8.x] Fixed urlize regression with entities in query stringsClaude Paroz
Refs #22267. Thanks Shai Berger for spotting the issue and Tim Graham for the initial patch. Backport of ec808e807 from master.
2015-02-09[1.8.x] Sorted imports with isort; refs #23860.Tim Graham
Backport of 0ed7d155635da9f79d4dd67e4889087d3673c6da from master
2014-12-27Fixed #23831 -- Supported strings escaped by third-party libs in Django.Aymeric Augustin
Refs #7261 -- Made strings escaped by Django usable in third-party libs. The changes in mark_safe and mark_for_escaping are straightforward. The more tricky part is to handle correctly objects that implement __html__. Historically escape() has escaped SafeData. Even if that doesn't seem a good behavior, changing it would create security concerns. Therefore support for __html__() was only added to conditional_escape() where this concern doesn't exist. Then using conditional_escape() instead of escape() in the Django template engine makes it understand data escaped by other libraries. Template filter |escape accounts for __html__() when it's available. |force_escape forces the use of Django's HTML escaping implementation. Here's why the change in render_value_in_context() is safe. Before Django 1.7 conditional_escape() was implemented as follows: if isinstance(text, SafeData): return text else: return escape(text) render_value_in_context() never called escape() on SafeData. Therefore replacing escape() with conditional_escape() doesn't change the autoescaping logic as it was originally intended. This change should be backported to Django 1.7 because it corrects a feature added in Django 1.7. Thanks mitsuhiko for the report.
2014-12-08Fixed #23968 -- Replaced list comprehension with generators and dict ↵Jon Dufresne
comprehension
2014-12-03Removed redundant numbered parameters from str.format().Berker Peksag
Since Python 2.7 and 3.1, "{0} {1}" is equivalent to "{} {}".
2014-10-31Fixed #23715 -- Prevented urlize from treating a trailing ! as part of an URLMarkus Holtermann
Thanks to 57even for the report.
2014-10-20Fixed #20221 -- Allowed some functions that use mark_safe() to result in ↵Jon Dufresne
SafeText. Thanks Baptiste Mispelon for the report.
2014-09-09Fixed flake8 warnings.Tim Graham
2014-09-09Fixed urlize after smart_urlquote rewriteClaude Paroz
Refs #22267.
2014-09-09Fixed #22267 -- Fixed unquote/quote in smart_urlquoteClaude Paroz
Thanks Md. Enzam Hossain for the report and initial patch, and Tim Graham for the review.
2014-09-05Limited lines to 119 characters in django/Tim Graham
refs #23395.
2014-08-15Fixed #23269 -- Deprecated django.utils.remove_tags() and removetags filter.Tim Graham
Also the unused, undocumented django.utils.html.strip_entities() function.
2014-07-09Fixed #22223 -- Prevented over-escaping URLs in reverse()Claude Paroz
And follow more closely the class of characters defined in the RFC 3986. Thanks Erik van Zijst for the report and the initial patch, and Tim Graham for the review.
2014-07-04Updated urlize regex following a93ee5112d4LarryBrid
Prevent urlize from turning some.organization, an.intern etc. into urls. Refs #22941.
2014-07-02Fixed #22941 - Added support for domain-only links with chars after the TLD ↵LarryBrid
to urlize. It now works with something like google.com/foo/bar
2014-04-03Refactored and commented strip_tags utilityTomasz Wysocki
2014-03-30Corrected many style guide violations that the newest version of flake8 catchesAlex Gaynor
2014-03-27Fixed a deprecation warning with the HTMLParser safe argument.Tim Graham
refs 6ca6c36f82b97eafeada61384b2e2f1d0587da86
2014-03-22Removed an unused variable.Alex Gaynor
2014-03-22Improved strip_tags and clarified documentationClaude Paroz
The fact that strip_tags cannot guarantee to really strip all non-safe HTML content was not clear enough. Also see: https://www.djangoproject.com/weblog/2014/mar/22/strip-tags-advisory/
2014-03-21Removed fix_ampersands template filter per deprecation timeline.Tim Graham
Also removed related utility functions: * django.utils.html.fix_ampersands * django.utils.html.clean_html
2014-03-08Fixed #21188 -- Introduced subclasses for to-be-removed-in-django-XX warningsClaude Paroz
Thanks Anssi Kääriäinen for the idea and Simon Charette for the review.
2014-03-03Fixed many typos in comments and docstrings.Rodolfo Carvalho
Thanks Piotr Kasprzyk for help with the patch.
2014-03-01Fixed #22130 -- Deprecated fix_ampersands, removed utils.clean_html()Erik Romijn
2013-12-16Removed unnecessary function-level import.Baptiste Mispelon
2013-12-16Removed unnecessary call to force_text in utils.html.clean_html.Vajrasky Kok
Refs #21574
2013-12-14Fixed E127 pep8 warnings.Loic Bistuer
2013-11-28Fixed E125 pep8 warningsChristopher Medrela
2013-11-02Correct flake8 E302 violationsRay Ashman Jr
2013-11-02More attacking E302 violatorsAlex Gaynor
2013-11-02Correct flake8 violation E261Ray Ashman Jr
2013-10-23Fixed #21298 -- Fixed E301 pep8 warningsAlasdair Nicol
2013-10-21Fixed #21288 -- Fixed E126 pep8 warningsAlasdair Nicol
2013-10-15Fixed #7261 -- support for __html__ for library interoperabilityUnai Zalakain
The idea is that if an object implements __html__ which returns a string this is used as HTML representation (eg: on escaping). If the object is a str or unicode subclass and returns itself the object is a safe string type. This is an updated patch based on jbalogh and ivank patches.
2013-09-25Fixed #20364 -- Changed urlize regexes to include quotation marks as punctation.Giles Richard Greenway
Thanks to EmilStenstrom for raising this, and to Chris Piwoński for all of the fixes and most of the tests.
2013-09-06Fixed a number of flake8 errors -- particularly around unused imports and ↵Alex Gaynor
local variables
2013-09-05Took advantage of django.utils.six.moves.urllib.*.Aymeric Augustin
2013-08-30Fixed #20989 -- Removed useless explicit list comprehensions.Simon Charette
2013-07-28Simplified smart_urlquote and added some basic tests.Florian Apolloner
2013-06-19Removed several unused imports.Aymeric Augustin
2013-05-23Fixed #19237 (again) - Made strip_tags consistent between Python versionsClaude Paroz
2013-05-22Fixed #19237 -- Used HTML parser to strip tagsClaude Paroz
The regex method used until now for the strip_tags utility is fast, but subject to flaws and security issues. Consensus and good practice lead use to use a slower but safer method.
2013-05-18Fixed #20246 -- Added non-breaking spaces between values an unitsEmil Stenström
2013-05-17Replaced an antiquated pattern.Aymeric Augustin
Thanks Lennart Regebro for pointing it out.
2013-04-01Fixed #20172 -- Ensured urlize supports IPv4/IPv6 addressesClaude Paroz
Thanks Marc Aymerich for the report and the initial patch.
2013-02-06Improved regex in strip_tagsClaude Paroz
Thanks Pablo Recio for the report. Refs #19237.
2013-01-25Fixed #19577 - Added HTML escaping to admin examples.Tim Graham
Thanks foo@ for the report and Florian Apolloner for the review.