| Age | Commit message (Collapse) | Author |
|
non-string RHS.
This change ensures SafeString addition operations handle non-string RHS
properly, allowing them to implement __radd__ for better compatibility.
|
|
All these functions are wrapping another function. They're the wrapper,
while the function they're wrapping is the wrapped.
|
|
|
|
|
|
Despite inheriting from the str type, every SafeString instance gains
an empty __dict__ due to the normal, expected behaviour of type
subclassing in Python.
Adding __slots__ to SafeData is necessary, because otherwise inheriting
from that (as SafeString does) will give it a __dict__ and negate the
benefit added by modifying SafeString.
|
|
The backported version of functools.wraps was removed in
13864703bc1d5dd4dac63c96c6a4b42a392bc57f.
|
|
|
|
|
|
|
|
|
|
|
|
This will allow to replace force_text() by str() in several places (as one of
the features of force_text is to keep the safe status).
|
|
The class will be removed as part of #27753.
Thanks Tim Graham for the review.
|
|
|
|
|
|
|
|
|
|
Thanks Tim Graham and Simon Charette for the reviews.
|
|
Thanks Tim Graham for the review.
|
|
|
|
|
|
Thanks ArcTanSusan for the initial patch.
|
|
|
|
|
|
Refs #7261 -- Made strings escaped by Django usable in third-party libs.
The changes in mark_safe and mark_for_escaping are straightforward. The
more tricky part is to handle correctly objects that implement __html__.
Historically escape() has escaped SafeData. Even if that doesn't seem a
good behavior, changing it would create security concerns. Therefore
support for __html__() was only added to conditional_escape() where this
concern doesn't exist.
Then using conditional_escape() instead of escape() in the Django
template engine makes it understand data escaped by other libraries.
Template filter |escape accounts for __html__() when it's available.
|force_escape forces the use of Django's HTML escaping implementation.
Here's why the change in render_value_in_context() is safe. Before Django
1.7 conditional_escape() was implemented as follows:
if isinstance(text, SafeData):
return text
else:
return escape(text)
render_value_in_context() never called escape() on SafeData. Therefore
replacing escape() with conditional_escape() doesn't change the
autoescaping logic as it was originally intended.
This change should be backported to Django 1.7 because it corrects a
feature added in Django 1.7.
Thanks mitsuhiko for the report.
|
|
mark_safe and mark_for_escaping should have been kept similar.
On Python 2 this change has no effect. On Python 3 it fixes the use case
shown in the regression test for mark_for_escaping, which used to raise
a TypeError. The regression test for mark_safe is just for completeness.
|
|
This reverts commit 2ee447fb5f8974b432d3dd421af9a242215aea44.
That commit introduced a regression (#21882) and didn't really
do what it was supposed to: while it did delay the evaluation
of lazy objects passed to mark_safe(), they weren't actually
marked as such so they could end up being escaped twice.
Refs #21882.
|
|
|
|
|
|
The idea is that if an object implements __html__ which returns a string this is
used as HTML representation (eg: on escaping). If the object is a str or unicode
subclass and returns itself the object is a safe string type.
This is an updated patch based on jbalogh and ivank patches.
|
|
* Removed trailing whitespace.
* Added newline to EOF if missing.
* Removed blank lines at EOF.
* Removed some stray tabs.
|
|
|
|
Backwards compatibility aliases were created under Python 2.
|
|
|
|
|
|
SafeUnicode. Thanks, Trey Long.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6845 bcc190cf-cafb-0310-a4f2-bffc1f526a37
|
|
was smoking there. Thanks, Jan Rademaker.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6807 bcc190cf-cafb-0310-a4f2-bffc1f526a37
|
|
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6685 bcc190cf-cafb-0310-a4f2-bffc1f526a37
|
|
controllable by template authors and it's possible to write filters and templates that simulataneously work in both auto-escaped and non-auto-escaped environments if you need to. Fixed #2359
See documentation in templates.txt and templates_python.txt for how everything
works.
Backwards incompatible if you're inserting raw HTML output via template variables.
Based on an original design from Simon Willison and with debugging help from Michael Radziej.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6671 bcc190cf-cafb-0310-a4f2-bffc1f526a37
|