| Age | Commit message (Collapse) | Author |
|
Thanks vytisb for the report.
|
|
cache key.
Refs #26536.
Thanks Sylvain Fankhauser for the very detailed report.
Backport of 207c5b4acd410dd39bac31457dae26a0d15b8b93 from master
|
|
Backport of 246020efc59de1a64b52fdda6a460904151dae36 from master
|
|
loader keys.
Thanks Anders Roos for the report.
Backport of bd145e7209a0e628cced10384bd6f62d65c0f211 from master
|
|
Backport of ecb59cc6579402b68ddfd4499bf30edacf5963be from master
|
|
nonexistent template.
Backport of 8890c533e0b53cb0021bd5faf15668430cd3075a from master
|
|
SimpleTemplateResponse.
Thanks David Reitter for the report and initial patch.
|
|
Prior to 55f12f8709, the template origin was available on each node via
`self.token.source[0]`. This behavior was removed when debug handling was
simplified, but 3rd-party debugging tools still depend on its presence.
This updates the Parser to set origin on individual nodes. This enables the
source template to be determined even when template extending or including is
used.
Backport of cfda1fa3f8d95f0f4a369da9021dbd770e5fa44a from master
|
|
Backport of 93452a70e8a62c7408eeded444f5088d4a26212d from master
|
|
helpful.
Backport of 9f2881deb127593e8e0fa25e978aad9029d7b562 from master
|
|
tag rendering.
|
|
|
|
This doesn't work in Django 1.8 but was fixed in Django 1.9 as a
side effect of another change.
|
|
This makes it much easier to diagnose a test failure when all
you have is the stack trace from an uncaught TemplateSyntaxError.
|
|
|
|
|
|
Refactored tests to use a sample project.
Updated extraction:
* Removed special handling of single percent signs.
* When extracting messages from template text, doubled all percent signs
so they are not interpreted by gettext as string format flags. All
strings extracted by gettext, if containing a percent sign, will now
be labeled "#, python-format".
Updated translation:
* Used "%%" for "%" in template text before calling gettext.
* Updated {% trans %} rendering to restore "%" from "%%".
|
|
|
|
|
|
Changed the url template tag to use request.resolver_match.namespace as a
default for the current_app argument if request.current_app is not set.
|
|
Due to the URL encoding applied by the tag for all parameters that might be
partly controllable by an end-user, there are no XSS/security problems
caused by this bug, only invalid HTML.
|
|
|
|
Thanks Bojan Mihelac for the initial patch.
|
|
|
|
This is a security hardening fix to help prevent XSS (and incorrect HTML)
for the common use case of simple_tag.
Thanks to Tim Graham for the review.
|
|
|
|
Forwardport of ae1d663b7913f6da233c55409c4973248372d302
from stable/1.8.x plus more.
|
|
This also speeds up for loops that render the same template
multiple times.
|
|
|
|
|
|
* Converted the ``libraries`` and ``builtins`` globals of
``django.template.base`` into properties of the Engine class.
* Added a public API for explicit registration of libraries and builtins.
|
|
|
|
|
|
|
|
This continues work to treat Django templates as a library.
|
|
|
|
|
|
This change:
* Makes the InclusionNode cache-safe by removing render-time side effects
to its nodelist.
* Ensures the render_context stack is properly scoped and reset by updating
the render call to use Template.render rather than Nodelist.render.
|
|
Added a django.template logger without a default handler. Added
logging if there is an exception while resolving variables in a
template.
|
|
This patch does three major things:
* Merges the django.template.debug implementation into django.template.base.
* Simplifies the debug implementation.
The old implementation copied debug information to every token and node.
The django_template_source attribute was set in multiple places, some
quite hacky, like django.template.defaulttags.ForNode.
Debug information is now annotated in two high-level places:
* Template.compile_nodelist for errors during parsing
* Node.render_annotated for errors during rendering
These were chosen because they have access to the template and context
as well as to all exceptions that happen during either the parse or
render phase.
* Moves the contextual line traceback information creation from
django.views.debug into django.template.base.Template. The debug views now
only deal with the presentation of the debug information.
|
|
|
|
|
|
Now that the URL is always unescaped as of refs #22267,
we should re-escape it before inserting it into the anchor.
|
|
input by default.
This may cause some backwards compatibility issues, but may also
resolve security issues in third party projects that fail to heed warnings
in our documentation.
Thanks Markus Holtermann for help with tests and docs.
|
|
|
|
Refs #22267.
Thanks Shai Berger for spotting the issue and Tim Graham for the
initial patch.
|
|
This test failed because a different error code is raised on Windows when
opening a directory. Since the particular message isn't as important to this
test as the fact that the original IOError is reraised, this fixes the test
by making the assertion more generic.
|
|
|
|
|
|
implementation.
Besides the directories they look in, these two loaders are functionally
the same. This removes unnecessary code duplication between the two.
|