From 6d52f6f8e688b5c4e70be8352eb02c05fea60e85 Mon Sep 17 00:00:00 2001 From: Aymeric Augustin Date: Tue, 23 Dec 2014 22:29:01 +0100 Subject: Fixed #23831 -- Supported strings escaped by third-party libs in Django. Refs #7261 -- Made strings escaped by Django usable in third-party libs. The changes in mark_safe and mark_for_escaping are straightforward. The more tricky part is to handle correctly objects that implement __html__. Historically escape() has escaped SafeData. Even if that doesn't seem a good behavior, changing it would create security concerns. Therefore support for __html__() was only added to conditional_escape() where this concern doesn't exist. Then using conditional_escape() instead of escape() in the Django template engine makes it understand data escaped by other libraries. Template filter |escape accounts for __html__() when it's available. |force_escape forces the use of Django's HTML escaping implementation. Here's why the change in render_value_in_context() is safe. Before Django 1.7 conditional_escape() was implemented as follows: if isinstance(text, SafeData): return text else: return escape(text) render_value_in_context() never called escape() on SafeData. Therefore replacing escape() with conditional_escape() doesn't change the autoescaping logic as it was originally intended. This change should be backported to Django 1.7 because it corrects a feature added in Django 1.7. Thanks mitsuhiko for the report. --- tests/utils_tests/test_safestring.py | 33 +++++++++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 4 deletions(-) (limited to 'tests') diff --git a/tests/utils_tests/test_safestring.py b/tests/utils_tests/test_safestring.py index 053d9f42fa..e23851815b 100644 --- a/tests/utils_tests/test_safestring.py +++ b/tests/utils_tests/test_safestring.py @@ -13,6 +13,13 @@ lazystr = lazy(force_text, six.text_type) lazybytes = lazy(force_bytes, bytes) +class customescape(six.text_type): + def __html__(self): + # implement specific and obviously wrong escaping + # in order to be able to tell for sure when it runs + return self.replace('<', '<<').replace('>', '>>') + + class SafeStringTest(TestCase): def assertRenderEqual(self, tpl, expected, **context): context = Context(context) @@ -25,6 +32,14 @@ class SafeStringTest(TestCase): self.assertRenderEqual('{{ s }}', 'a&b', s=s) self.assertRenderEqual('{{ s|force_escape }}', 'a&b', s=s) + def test_mark_safe_object_implementing_dunder_html(self): + e = customescape('') + s = mark_safe(e) + self.assertIs(s, e) + + self.assertRenderEqual('{{ s }}', '<>', s=s) + self.assertRenderEqual('{{ s|force_escape }}', '<a&b>', s=s) + def test_mark_safe_lazy(self): s = lazystr('a&b') b = lazybytes(b'a&b') @@ -42,11 +57,25 @@ class SafeStringTest(TestCase): self.assertRenderEqual('{{ s }}', '', s=s) + def test_mark_safe_result_implements_dunder_html(self): + self.assertEqual(mark_safe('a&b').__html__(), 'a&b') + + def test_mark_safe_lazy_result_implements_dunder_html(self): + self.assertEqual(mark_safe(lazystr('a&b')).__html__(), 'a&b') + def test_mark_for_escaping(self): s = mark_for_escaping('a&b') self.assertRenderEqual('{{ s }}', 'a&b', s=s) self.assertRenderEqual('{{ s }}', 'a&b', s=mark_for_escaping(s)) + def test_mark_for_escaping_object_implementing_dunder_html(self): + e = customescape('') + s = mark_for_escaping(e) + self.assertIs(s, e) + + self.assertRenderEqual('{{ s }}', '<>', s=s) + self.assertRenderEqual('{{ s|force_escape }}', '<a&b>', s=s) + def test_mark_for_escaping_lazy(self): s = lazystr('a&b') b = lazybytes(b'a&b') @@ -55,10 +84,6 @@ class SafeStringTest(TestCase): self.assertIsInstance(mark_for_escaping(b), EscapeData) self.assertRenderEqual('{% autoescape off %}{{ s }}{% endautoescape %}', 'a&b', s=mark_for_escaping(s)) - def test_html(self): - s = '

interop

' - self.assertEqual(s, mark_safe(s).__html__()) - def test_mark_for_escaping_object_implementing_dunder_str(self): class Obj(object): def __str__(self): -- cgit v1.3