| Age | Commit message (Collapse) | Author |
|
This is a security fix. Disclosure following shortly.
|
|
Refs #7261 -- Made strings escaped by Django usable in third-party libs.
The changes in mark_safe and mark_for_escaping are straightforward. The
more tricky part is to handle correctly objects that implement __html__.
Historically escape() has escaped SafeData. Even if that doesn't seem a
good behavior, changing it would create security concerns. Therefore
support for __html__() was only added to conditional_escape() where this
concern doesn't exist.
Then using conditional_escape() instead of escape() in the Django
template engine makes it understand data escaped by other libraries.
Template filter |escape accounts for __html__() when it's available.
|force_escape forces the use of Django's HTML escaping implementation.
Here's why the change in render_value_in_context() is safe. Before Django
1.7 conditional_escape() was implemented as follows:
if isinstance(text, SafeData):
return text
else:
return escape(text)
render_value_in_context() never called escape() on SafeData. Therefore
replacing escape() with conditional_escape() doesn't change the
autoescaping logic as it was originally intended.
This change should be backported to Django 1.7 because it corrects a
feature added in Django 1.7.
Thanks mitsuhiko for the report.
Backport of 6d52f6f from master.
|
|
mark_safe and mark_for_escaping should have been kept similar.
On Python 2 this change has no effect. On Python 3 it fixes the use case
shown in the regression test for mark_for_escaping, which used to raise
a TypeError. The regression test for mark_safe is just for completeness.
Backport of 5c5eb5fe from master.
|
|
Backport of 54085b0f9ba7d9f705f9b9c90d3433b0ef6aa042 from master
|
|
Python 3.
Backport of 03d89168a2 from master
|
|
os.close(fd) is needed to avoid "The process cannot access the file
because it is being used by another process"
Backport of c2ab501bab from master
|
|
If the temporary file name contained a p or y as its last
characters, it would be stripped. refs #23083.
Backport of 57d2b3f2a7 from master
|
|
Thanks Collin Anderson for the report and hirokiky for the fix.
Backport of b8cb5ba708 from master
|
|
This fixes a regression introduced in 6d302f639.
Thanks lorinkoz at gmail.com for the report, Collin Anderson
for the initial patch and Simon Charette for the review.
Backport of 4e424084e from master.
|
|
Backport of fddd95254e from master
|
|
Thanks brylie.
Backport of 89b9e6e5d6 from master
|
|
Refs #9722. Thanks Tim Graham for the review.
Backport of 6d302f639 from master.
|
|
parse_datetime
Backport of 7beaeeed from master.
|
|
Backport of 083d285b82 from master
|
|
Backport of b6b873d2ada0d7c2a616d11f161a7688df15f45f from master
|
|
Also added tests with pytz and removed misplaced tests.
Backport of 1109ebd from master
|
|
Also added tests for is/make_aware/naive.
Thanks Tom Michaelis for the report.
Backport of fa89acf from master
|
|
Backport of e520a73ee from master.
|
|
This is a security fix. Disclosure following shortly.
|
|
This is a security fix. Disclosure following shortly.
|
|
order.
Backport of 69a4f383f6 from master
|
|
Backport of c19bbefca2 from master
|
|
Backport of 6a0291bdaf from master.
|
|
The fact that strip_tags cannot guarantee to really strip all
non-safe HTML content was not clear enough. Also see:
https://www.djangoproject.com/weblog/2014/mar/22/strip-tags-advisory/
Backport of 6ca6c36f82b from master.
|
|
This commit also added tests for LazyObject and refactored
the testsuite of SimpleLazyObject so that it can share
test cases with LazyObject.
|
|
Thanks Anssi Kääriäinen for the idea and Simon Charette for the
review.
|
|
Refs #21725.
|
|
|
|
Refs #21725.
|
|
|
|
Thanks to nedbatchelder for the report.
|
|
import_string().
Thanks Aymeric Augustin for the suggestion and review.
|
|
|
|
|
|
This reverts commit 2ee447fb5f8974b432d3dd421af9a242215aea44.
That commit introduced a regression (#21882) and didn't really
do what it was supposed to: while it did delay the evaluation
of lazy objects passed to mark_safe(), they weren't actually
marked as such so they could end up being escaped twice.
Refs #21882.
|
|
test suite.
Thanks Aymeric for the suggestion.
|
|
Windows cannot use a time zone other than the default time zone.
Thanks manfre for the report.
|
|
|
|
It's now easier to achieve the same effect with modify_settings or
override_settings.
|
|
Reverted 4a56a93cc458e9ab4dcab95d9f5067d4975dd1a2.
|
|
Except the app cache code and a few specific tests, of course.
|
|
Used the app cache's get_app_configs() method instead.
|
|
|
|
All input is now coerced to text before being normalized.
This changes nothing under Python 2 but it allows bytes
to be passed to the function without a TypeError under Python3
(bytes are assumed to be utf-8 encoded text).
Thanks to trac user vajrasky for the report.
|
|
|
|
|
|
Django also uses locales provided by apps, which also might change. Also when
i18n is disabled, there is no need for watching translation files.
|
|
|
|
Signed-off-by: Jason Myers <jason@jasonamyers.com>
|
|
|