| Age | Commit message (Collapse) | Author |
|
Backport of 52f0b2b62262743d5f935ddae29428e661b5d8ea from master
|
|
Refs #7261 -- Made strings escaped by Django usable in third-party libs.
The changes in mark_safe and mark_for_escaping are straightforward. The
more tricky part is to handle correctly objects that implement __html__.
Historically escape() has escaped SafeData. Even if that doesn't seem a
good behavior, changing it would create security concerns. Therefore
support for __html__() was only added to conditional_escape() where this
concern doesn't exist.
Then using conditional_escape() instead of escape() in the Django
template engine makes it understand data escaped by other libraries.
Template filter |escape accounts for __html__() when it's available.
|force_escape forces the use of Django's HTML escaping implementation.
Here's why the change in render_value_in_context() is safe. Before Django
1.7 conditional_escape() was implemented as follows:
if isinstance(text, SafeData):
return text
else:
return escape(text)
render_value_in_context() never called escape() on SafeData. Therefore
replacing escape() with conditional_escape() doesn't change the
autoescaping logic as it was originally intended.
This change should be backported to Django 1.7 because it corrects a
feature added in Django 1.7.
Thanks mitsuhiko for the report.
Backport of 6d52f6f from master.
|
|
mark_safe and mark_for_escaping should have been kept similar.
On Python 2 this change has no effect. On Python 3 it fixes the use case
shown in the regression test for mark_for_escaping, which used to raise
a TypeError. The regression test for mark_safe is just for completeness.
Backport of 5c5eb5fe from master.
|
|
Backport of 54085b0f9ba7d9f705f9b9c90d3433b0ef6aa042 from master
|
|
Backport of d049b36f91538595b9c7cdb7a1506c130803d226 from master
|
|
Backport of 7ef81b5cdd from master
|
|
Backport of 81477c91f6 from master
|
|
Backport of 03467368db from master
|
|
Python 3.
Backport of 03d89168a2 from master
|
|
characters in request.
Thanks edevil for the report and Simon Charette for review.
Backport of 9dff5ce7c7 from master
|
|
Backport of fbeb7979ee from master
|
|
Backport of 5cba975d26 from master
|
|
Backport of d28b5f13b3 from master
|
|
Thanks kwist for the report and the initial patch.
Backport of 5021421799 from master.
|
|
This reverts commit cdfefbec7 as it caused a regression (#23271).
|
|
Thanks Collin Anderson for the report and hirokiky for the fix.
Backport of b8cb5ba708 from master
|
|
This fixes a regression introduced in 6d302f639.
Thanks lorinkoz at gmail.com for the report, Collin Anderson
for the initial patch and Simon Charette for the review.
Backport of 4e424084e from master.
|
|
Backport of fddd95254e from master
|
|
Refs #9722. Thanks Tim Graham for the review.
Backport of 6d302f639 from master.
|
|
No need to restart the server when a translation file changes.
Refs #9523. Thanks artscoop for the report and Tim Graham for
the review.
Backport of 0d363b25b8 from master
|
|
parse_datetime
Backport of 7beaeeed from master.
|
|
Refs #21482.
Backport of 18b3788401 from master.
|
|
Thanks Tim Graham and Aymeric Augustin for the review.
Backport of 9618d68b34 from master.
|
|
and used it in the Oracle SchemaEditor. Refs #22715.
Backport of 06c0e740a4 from master
|
|
No test because this code is already deprecated (part of FastCGI support).
Backport of 5836a577 from master
|
|
Backport of daaeb84158 from master.
|
|
Backport of 083d285b82 from master
|
|
Backport of 1dcc603eff from master
|
|
Backport of 2779c299c8 from master.
|
|
This also fixes #22686 as some sort of side-effect.
Backport of dbb48d2bb99 from master.
|
|
Note these are no longer in master anyway.
|
|
Backport of b6b873d2ada0d7c2a616d11f161a7688df15f45f from master
|
|
Also added tests with pytz and removed misplaced tests.
Backport of 1109ebd from master
|
|
Also added tests for is/make_aware/naive.
Thanks Tom Michaelis for the report.
Backport of fa89acf from master
|
|
Backport of 8a2f04db91 from master
|
|
This is a security fix. Disclosure following shortly.
|
|
Thanks david.fischer.ch at gmail.com for the report.
Backport of 4492ea5475 from master
|
|
Thanks ygbo for the report.
Backport of 142c27218 from master.
|
|
No more `NewBase` horrors.
Thanks to bendavis78 for his work on merging this into six.
Backport of a2340ac6d6 from master
|
|
Backport of 2bcb8bfc8d from master
|
|
Backport of 428c0bbe1bcd303560d7e96d7d2721ff3fdc0e3f from master
|
|
flake8 catches
Backport of 778ce245dd466bce1b19f89e52cf9ed8f1b46513 from master
|
|
Backport of c28beb4291 from master.
|
|
There may be more than 100 (default maxsize) commonly seen xx-yy values
on some sites. The additional memory consumption isn't significant.
Also added a comment explaining why this cache must have a maxsize.
Backport of f356b6e from master.
|
|
Backport of b077ba7ac1 from master
|
|
Backport of 45ef4baf5c from master
|
|
Backport of 2ec82c7387 from master
|
|
Backport of 684e8a941b from master
|
|
The fact that strip_tags cannot guarantee to really strip all
non-safe HTML content was not clear enough. Also see:
https://www.djangoproject.com/weblog/2014/mar/22/strip-tags-advisory/
Backport of 6ca6c36f82b from master.
|
|
Fixed #21840 -- Moved dunder methods from SimpleLazyObject to LazyObject...
|