summaryrefslogtreecommitdiff
path: root/django/utils
AgeCommit message (Collapse)Author
2015-03-27[1.8.x] Fixed #24469 -- Refined escaping of Django's form elements in ↵Moritz Sichert
non-Django templates. Backport of 1f2abf784a9fe550959de242d91963b2ad6f7e9c from master
2015-03-21[1.8.x] Fixed #24515 -- Fixed DjangoTranslation plural handlingClaude Paroz
Backport of 9e83f30cd31 from master.
2015-03-18[1.8.x] Made is_safe_url() reject URLs that start with control characters.Tim Graham
This is a security fix; disclosure to follow shortly.
2015-03-18[1.8.x] Fixed an infinite loop possibility in strip_tags().Tim Graham
This is a security fix; disclosure to follow shortly.
2015-03-10[1.8.x] Fixed escaping regression in urlize filter.Tim Graham
Now that the URL is always unescaped as of refs #22267, we should re-escape it before inserting it into the anchor. Backport of 7b1a67cce52e5c191fbfa1bca501c6f0222db019 from master
2015-03-06[1.8.x] Fixed urlize regression with entities in query stringsClaude Paroz
Refs #22267. Thanks Shai Berger for spotting the issue and Tim Graham for the initial patch. Backport of ec808e807 from master.
2015-03-04[1.8.x] Moved definition of chunks out of timesince function.Benjamin Wohlwend
This speeds up the timesince function/filter substantially. Backport of d6969ab from master.
2015-02-28[1.8.x] Fixed #24413 -- Prevented translation fallback for EnglishClaude Paroz
Thanks Tomasz Kontusz for the report, Baptiste Mispelon for analysis and Tim Graham for the review. Backport of 3cf1c02695 from master.
2015-02-17[1.8.x] Refs #24324 -- Fixed UnicodeDecodeError in template_backends testsTim Graham
The message for the SuspiciousFileOperation exception needs to be a unicode string. Backport of bebc1e53a3ab059849e5c4e5a55b2f5e68b67169 from master
2015-02-12[1.8.x] Fixed #24321 -- Improved `utils.http.same_origin` compliance with ↵Lukas Klein
RFC6454 Backport of 93b3ef9b2e from master.
2015-02-09[1.8.x] Sorted imports with isort; refs #23860.Tim Graham
Backport of 0ed7d155635da9f79d4dd67e4889087d3673c6da from master
2015-02-08[1.8.x] Optimized allow_lazy() by not generating a new lazy wrapper on each ↵Alex Gaynor
invocation. This dramatically improves performance on PyPy. The following benchmark: python -mtimeit -s "from django.utils.functional import allow_lazy; from django.utils.translation import ugettext_lazy; f = allow_lazy(lambda s: s, str)" "f(ugettext_lazy('abc'))" goes from 390us per loop to 165us. Backport of 82e0cd15711c7171aed7af5e481967cc721c9642 from master
2015-02-08[1.8.x] Fixed #24181 -- Fixed multi-char THOUSAND_SEPARATOR insertionVarun Sharma
Report and original patch by Kay Cha. Backport of 540ca563de from master.
2015-02-06[1.8.x] Removed django-2to3.pyTim Graham
Aymeric says, "It was fun to write, but I don't think it's very useful." Backport of 607af78bb82404d55cc3e80e5f6772fb87c168ee from master
2015-02-04[1.8.x] Fixed #24242 -- Improved efficiency of utils.text.compress_sequence()Matthew Somerville
The function no longer flushes zfile after each write as doing so can lead to the gzipped streamed content being larger than the original content; each flush adds a 5/6 byte type 0 block. Removing this means buf.read() may return nothing, so only yield if that has some data. Testing shows without the flush() the buffer is being flushed every 17k or so and compresses the same as if it had been done as a whole string. Backport of caa3562d5bec1196502352a715a539bdb0f73c2d from master
2015-02-03[1.8.x] Fixed #24252 -- Forced lazy __str__ to utf-8 on Python 2Claude Paroz
Thanks Stanislas Guerra for the report and Tomas Ehrlich for the review. Backport of cd0ceaa102 from master.
2015-02-01[1.8.x] Removed threading fallback imports.Tim Graham
Django imports threading in many other places without fallback. Backport of 18f3e79b13947de0bda7c985916d5a04e28936dc from master
2015-01-20[1.8.x] Fixed typos in code comments.Adam Taylor
Backport of 039465a6a7a18f48ea77ceadb6949990c0ec92e1 from master
2015-01-13Fixed is_safe_url() to handle leading whitespace.Tim Graham
This is a security fix. Disclosure following shortly.
2015-01-08Fixed #24073 -- Returned None for get_language when translations are deactivatedClaude Paroz
This fixes a regression caused by f7c287fca9. Thanks Markus Holtermann for identifying the regression.
2015-01-02Updated six to 1.9.0.Tim Graham
2014-12-28Cleaned up the django.template namespace.Aymeric Augustin
Since this package is going to hold both the implementation of the Django Template Language and the infrastructure for Multiple Template Engines, it should be untied from the DTL as much as possible within our backwards-compatibility policy. Only public APIs (i.e. APIs mentioned in the documentation) were left.
2014-12-27Fixed #23831 -- Supported strings escaped by third-party libs in Django.Aymeric Augustin
Refs #7261 -- Made strings escaped by Django usable in third-party libs. The changes in mark_safe and mark_for_escaping are straightforward. The more tricky part is to handle correctly objects that implement __html__. Historically escape() has escaped SafeData. Even if that doesn't seem a good behavior, changing it would create security concerns. Therefore support for __html__() was only added to conditional_escape() where this concern doesn't exist. Then using conditional_escape() instead of escape() in the Django template engine makes it understand data escaped by other libraries. Template filter |escape accounts for __html__() when it's available. |force_escape forces the use of Django's HTML escaping implementation. Here's why the change in render_value_in_context() is safe. Before Django 1.7 conditional_escape() was implemented as follows: if isinstance(text, SafeData): return text else: return escape(text) render_value_in_context() never called escape() on SafeData. Therefore replacing escape() with conditional_escape() doesn't change the autoescaping logic as it was originally intended. This change should be backported to Django 1.7 because it corrects a feature added in Django 1.7. Thanks mitsuhiko for the report.
2014-12-27Fixed an inconsistency introduced in 547b1810.Aymeric Augustin
mark_safe and mark_for_escaping should have been kept similar. On Python 2 this change has no effect. On Python 3 it fixes the use case shown in the regression test for mark_for_escaping, which used to raise a TypeError. The regression test for mark_safe is just for completeness.
2014-12-26Fixed #23346 -- Fixed lazy() to lookup methods on the real object, not ↵Gavin Wahl
resultclasses. Co-Authored-By: Rocky Meza <rmeza@fusionbox.com>
2014-12-26Fixed #24045 -- Removed useless mark_safe() call in trans_null.pyTim Graham
2014-12-25Fixed #23866 -- Harmonized refs to Django documentation from codeClaude Paroz
2014-12-24Fixed #20349 -- Moved setting_changed signal to django.core.signals.Collin Anderson
This removes the need to load django.test when not testing.
2014-12-22Fixed #23998 -- Added datetime.time support to migrations questioner.Oscar Ramirez
2014-12-20Fixed #2443 -- Added DurationField.Marc Tamlyn
A field for storing periods of time - modeled in Python by timedelta. It is stored in the native interval data type on PostgreSQL and as a bigint of microseconds on other backends. Also includes significant changes to the internals of time related maths in expressions, including the removal of DateModifierNode. Thanks to Tim and Josh in particular for reviews.
2014-12-13Fixed #23812 -- Changed django.utils.six.moves.xrange imports to rangeMichael Hall
2014-12-08Fixed #23968 -- Replaced list comprehension with generators and dict ↵Jon Dufresne
comprehension
2014-12-03Removed redundant numbered parameters from str.format().Berker Peksag
Since Python 2.7 and 3.1, "{0} {1}" is equivalent to "{} {}".
2014-12-03Fixed #23935 -- Converted decimals to fixed point in utils.numberformat.formatEric Rouleau
2014-11-24Fixed typo in django/utils/decorators.py comment.Tom V
2014-11-19Simplified caching of supported languages.Aymeric Augustin
2014-11-19Simplified caching of get_default_timezone().Aymeric Augustin
2014-11-15Fixed #22407 -- Added AdminEmailHandler.send_mail().Berker Peksag
2014-11-13Removed thread customizations of six which are now built-in.Tim Graham
2014-11-11Raised SuspiciousFileOperation in safe_join.Aymeric Augustin
Added a test for the condition safe_join is designed to prevent. Previously, a generic ValueError was raised. It was impossible to tell an intentional exception raised to implement safe_join's contract from an unintentional exception caused by incorrect inputs or unexpected conditions. That resulted in bizarre exception catching patterns, which this patch removes. Since safe_join is a private API and since the change is unlikely to create security issues for users who use it anyway -- at worst, an uncaught SuspiciousFileOperation exception will bubble up -- it isn't documented.
2014-11-05Added a dummy class for HTMLParserError; refs #23763.Tim Graham
2014-11-04Updated six to 1.8.0.Tim Graham
2014-11-03Fixed #18456 -- Added path escaping to HttpRequest.get_full_path().Unai Zalakain
2014-10-31Fixed #23715 -- Prevented urlize from treating a trailing ! as part of an URLMarkus Holtermann
Thanks to 57even for the report.
2014-10-31Fixed #23670 -- Prevented partial import state during module autodiscoveryMarkus Holtermann
Thanks kostko for the report.
2014-10-30Fixed #23558 -- documented slugify limitationsDavid Hoffman
2014-10-20Fixed #23688 -- Updated cached_property to preserve docstring of original ↵John-Scott Atlakson
function
2014-10-20Fixed #20221 -- Allowed some functions that use mark_safe() to result in ↵Jon Dufresne
SafeText. Thanks Baptiste Mispelon for the report.
2014-10-20Fixed #23668 -- Changed make_aware() and make_naive() to use the current ↵Jon Dufresne
timezone by default Thanks Aymeric Augustin for review.
2014-10-16Fixed #23664 -- Provided a consistent definition for OrderedSet.__bool__Thomas Chaumeny
This also defines QuerySet.__bool__ for consistency though this should not have any consequence as bool(qs) used to fallback on QuerySet.__len__ in Py3.