| Age | Commit message (Collapse) | Author |
|
This is a security fix. Disclosure following shortly.
|
|
This fixes a regression caused by f7c287fca9. Thanks Markus Holtermann
for identifying the regression.
|
|
|
|
Since this package is going to hold both the implementation of the Django
Template Language and the infrastructure for Multiple Template Engines,
it should be untied from the DTL as much as possible within our
backwards-compatibility policy.
Only public APIs (i.e. APIs mentioned in the documentation) were left.
|
|
Refs #7261 -- Made strings escaped by Django usable in third-party libs.
The changes in mark_safe and mark_for_escaping are straightforward. The
more tricky part is to handle correctly objects that implement __html__.
Historically escape() has escaped SafeData. Even if that doesn't seem a
good behavior, changing it would create security concerns. Therefore
support for __html__() was only added to conditional_escape() where this
concern doesn't exist.
Then using conditional_escape() instead of escape() in the Django
template engine makes it understand data escaped by other libraries.
Template filter |escape accounts for __html__() when it's available.
|force_escape forces the use of Django's HTML escaping implementation.
Here's why the change in render_value_in_context() is safe. Before Django
1.7 conditional_escape() was implemented as follows:
if isinstance(text, SafeData):
return text
else:
return escape(text)
render_value_in_context() never called escape() on SafeData. Therefore
replacing escape() with conditional_escape() doesn't change the
autoescaping logic as it was originally intended.
This change should be backported to Django 1.7 because it corrects a
feature added in Django 1.7.
Thanks mitsuhiko for the report.
|
|
mark_safe and mark_for_escaping should have been kept similar.
On Python 2 this change has no effect. On Python 3 it fixes the use case
shown in the regression test for mark_for_escaping, which used to raise
a TypeError. The regression test for mark_safe is just for completeness.
|
|
resultclasses.
Co-Authored-By: Rocky Meza <rmeza@fusionbox.com>
|
|
|
|
|
|
This removes the need to load django.test when not testing.
|
|
|
|
A field for storing periods of time - modeled in Python by timedelta. It
is stored in the native interval data type on PostgreSQL and as a bigint
of microseconds on other backends.
Also includes significant changes to the internals of time related maths
in expressions, including the removal of DateModifierNode.
Thanks to Tim and Josh in particular for reviews.
|
|
|
|
comprehension
|
|
Since Python 2.7 and 3.1, "{0} {1}" is equivalent to "{} {}".
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Added a test for the condition safe_join is designed to prevent.
Previously, a generic ValueError was raised. It was impossible to tell
an intentional exception raised to implement safe_join's contract from
an unintentional exception caused by incorrect inputs or unexpected
conditions. That resulted in bizarre exception catching patterns, which
this patch removes.
Since safe_join is a private API and since the change is unlikely to
create security issues for users who use it anyway -- at worst, an
uncaught SuspiciousFileOperation exception will bubble up -- it isn't
documented.
|
|
|
|
|
|
|
|
Thanks to 57even for the report.
|
|
Thanks kostko for the report.
|
|
|
|
function
|
|
SafeText.
Thanks Baptiste Mispelon for the report.
|
|
timezone by default
Thanks Aymeric Augustin for review.
|
|
This also defines QuerySet.__bool__ for consistency though this should not have any consequence as bool(qs) used to fallback on QuerySet.__len__ in Py3.
|
|
Thanks Loic Bistuer for helping in shaping the patch and Claude Paroz
for the review.
|
|
This ensure that ''.join(c) in jslex.py always returns text.
|
|
|
|
in request.
Thanks edevil for the report and Simon Charette for review.
|
|
|
|
Thanks Collin Anderson for the review.
|
|
Translating an empty string used to return the gettext catalog
metadata instead of the empty string.
Thanks Ned Batchelder for the suggestion, Tim Graham for the review
and Anton Berezin and Claude Paroz for contributions to the patch.
|
|
|
|
|
|
Refs #22267.
|
|
Thanks Md. Enzam Hossain for the report and initial patch, and
Tim Graham for the review.
|
|
Thanks liminspace for the patch and Keryn Knight for benchmarking.
|
|
|
|
|
|
This reverts commit 66757fee7e921ad4c35e0b3f80c25e026100b31c.
Discussions have led to think that this functionality does not
bring significant benefits to justify the added complexity.
Read also discussions on ticket #22734.
|
|
refs #23395.
|
|
|
|
Thanks kwist for the report and the initial patch.
|