Ticket #2359: autoescape.diff

django_autoescape/django/contrib/markup/templatetags/markup.py

@@ -16 +16 @@
-
-from django import template
-from django.conf import settings
+from django.utils.safestring import mark_safe
-
-register = template.Library()
-
@@ -25 +26 @@
-    except ImportError:
-        if settings.DEBUG:
-            raise template.TemplateSyntaxError, "Error in {% textile %} filter: The Python textile library isn't installed."
-value
+mark_safe(value)
-    else:
-
+
+
-
-def markdown(value):
-    try:
@@ -35 +37 @@
-    except ImportError:
-        if settings.DEBUG:
-            raise template.TemplateSyntaxError, "Error in {% markdown %} filter: The Python markdown library isn't installed."
-value
+mark_safe(value)
-    else:
-
+
+
-
-def restructuredtext(value):
-    try:
@@ -45 +48 @@
-    except ImportError:
-        if settings.DEBUG:
-            raise template.TemplateSyntaxError, "Error in {% restructuredtext %} filter: The Python docutils library isn't installed."
-value
+mark_safe(value)
-    else:
-        docutils_settings = getattr(settings, "RESTRUCTUREDTEXT_FILTER_SETTINGS", {})
-        parts = publish_parts(source=value, writer_name="html4css1", settings_overrides=docutils_settings)
-
+
+
-
-register.filter(textile)
-register.filter(markdown)

django_autoescape/django/template/context.py

@@ -9 +9 @@
-
-class Context(object):
-    "A stack container for variable context"
+
+    autoescape = False
+
-    def __init__(self, dict_=None):
-        dict_ = dict_ or {}
-        self.dicts = [dict_]
@@ -95 +98 @@
-            processors = tuple(processors)
-        for processor in get_standard_processors() + processors:
-            self.update(processor(request))
+
+class SafeContext(Context):
+    "A Context derivative that autoescapes by default."
+    autoescape = True
+
+class SafeRequestContext(RequestContext):
+    autoescape = True

django_autoescape/django/template/defaultfilters.py

@@ -3 +3 @@
-from django.template import resolve_variable, Library
-from django.conf import settings
-from django.utils.translation import gettext
+from django.utils.safestring import mark_safe, SafeData
-import re
-import random as random_module
-
@@ -16 +17 @@
-def addslashes(value):
-    "Adds slashes - useful for passing strings to JavaScript, for example."
-    return value.replace('"', '\\"').replace("'", "\\'")
+addslashes.is_safe = True
-
-def capfirst(value):
-    "Capitalizes the first character of the value"
-    value = str(value)
-    return value and value[0].upper() + value[1:]
+capfirst.is_safe = True
-
-def fix_ampersands(value):
-    "Replaces ampersands with ``&`` entities"
-    from django.utils.html import fix_ampersands
-    return fix_ampersands(value)
+fix_ampersands.is_safe = True
-
-def floatformat(text):
-    """
@@ -40 +44 @@
-    if m:
-        return '%.1f' % f
-    else:
-
+
+
-
-
+, autoescape = None
-    "Displays text with line numbers"
-    from django.utils.html import escape
-    lines = value.split('\n')
-    # Find the maximum width of the line count, for use with zero padding string format command
-    width = str(len(str(len(lines))))
-
-
-
+
+
+
+
+
+
+
+
+
-
-def lower(value):
-    "Converts a string into all lowercase"
-    return value.lower()
+lower.is_safe = True
-
-def make_list(value):
-    """
@@ -62 +74 @@
-    digits. For a string, it's a list of characters.
-    """
-    return list(str(value))
+make_list.is_safe = False
-
-def slugify(value):
-    "Converts to lowercase, removes non-alpha chars and converts spaces to hyphens"
-    value = re.sub('[^\w\s-]', '', value).strip().lower()
-
+
+
-
-def stringformat(value, arg):
-    """
@@ -81 +95 @@
-        return ("%" + arg) % value
-    except (ValueError, TypeError):
-        return ""
+stringformat.is_safe = True
-
-def title(value):
-    "Converts a string into titlecase"
-    return re.sub("([a-z])'([A-Z])", lambda m: m.group(0).lower(), value.title())
+title.is_safe = False
-
-def truncatewords(value, arg):
-    """
@@ -100 +116 @@
-    if not isinstance(value, basestring):
-        value = str(value)
-    return truncate_words(value, length)
+truncatewords.is_safe = True
-
-def upper(value):
-    "Converts a string into all uppercase"
-    return value.upper()
+upper.is_safe = False
-
-def urlencode(value):
-    "Escapes a value for use in a URL"
-    import urllib
-    return urllib.quote(value)
+urlencode.is_safe = False
-
-def urlize(value):
-    "Converts URLs in plain text into clickable links"
-    from django.utils.html import urlize
-
+
+
-
-def urlizetrunc(value, limit):
-    """
@@ -123 +143 @@
-    Argument: Length to truncate URLs to.
-    """
-    from django.utils.html import urlize
-
+
+
-
-def wordcount(value):
-    "Returns the number of words"
-    return len(value.split())
+wordcount.is_safe = False
-
-def wordwrap(value, arg):
-    """
@@ -137 +159 @@
-    """
-    from django.utils.text import wrap
-    return wrap(str(value), int(arg))
+wordwrap.is_safe = True
-
-def ljust(value, arg):
-    """
@@ -145 +168 @@
-    Argument: field size
-    """
-    return str(value).ljust(int(arg))
+ljust.is_safe = True
-
-def rjust(value, arg):
-    """
@@ -153 +177 @@
-    Argument: field size
-    """
-    return str(value).rjust(int(arg))
+rjust.is_safe = True
-
-def center(value, arg):
-    "Centers the value in a field of a given width"
-    return str(value).center(int(arg))
+center.is_safe = True
-
-def cut(value, arg):
-    "Removes all values of arg from the given string"
-    return value.replace(arg, '')
+cut.is_safe = False
-
-###################
-# HTML STRINGS    #
@@ -168 +195 @@
-
-def escape(value):
-    "Escapes a string's HTML"
-
-
+
+
+
+
+
+
-
-
+, autoescape = None
-    "Converts newlines into <p> and <br />s"
-    from django.utils.html import linebreaks
-
+
+
+
+
-
-
+, autoescape = None
-    "Converts newlines into <br />s"
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-def removetags(value, tags):
-    "Removes a space separated list of [X]HTML tags from the output"
@@ -189 +236 @@
-    value = starttag_re.sub('', value)
-    value = endtag_re.sub('', value)
-    return value
+removetags.is_safe = True
-
-def striptags(value):
-    "Strips all [X]HTML tags"
@@ -196 +244 @@
-    if not isinstance(value, basestring):
-        value = str(value)
-    return strip_tags(value)
+striptags.is_safe = True
-
-###################
-# LISTS           #
@@ -209 +258 @@
-    decorated = [(resolve_variable('var.' + arg, {'var' : item}), item) for item in value]
-    decorated.sort()
-    return [item[1] for item in decorated]
+dictsort.is_safe = False
-
-def dictsortreversed(value, arg):
-    """
@@ -219 +269 @@
-    decorated.sort()
-    decorated.reverse()
-    return [item[1] for item in decorated]
+dictsortreversed.is_safe = False
-
-def first(value):
-    "Returns the first item in a list"
@@ -226 +277 @@
-        return value[0]
-    except IndexError:
-        return ''
+first.is_safe = True
-
-def join(value, arg):
-    "Joins a list with a string, like Python's ``str.join(list)``"
-    try:
-return
+data =
-    except AttributeError: # fail silently but nicely
-        return value
+    safe_args = reduce(lambda lhs, rhs: lhs and isinstance(rhs, SafeData), value, True)
+    if safe_args:
+        return mark_safe(data)
+    else:
+        return data
+join.is_safe = True
-
-def length(value):
-    "Returns the length of the value - useful for lists"
-    return len(value)
+length.is_safe = False
-
-def length_is(value, arg):
-    "Returns a boolean of whether the value's length is the argument"
-    return len(value) == int(arg)
+length.is_safe = False
-
-def random(value):
-    "Returns a random item from the list"
-    return random_module.choice(value)
+length.is_safe = True
-
-def slice_(value, arg):
-    """
@@ -265 +326 @@
-
-    except (ValueError, TypeError):
-        return value # Fail silently.
+slice_.is_safe = True
-
-
+, autoescape = None
-    """
-    Recursively takes a self-nested list and returns an HTML unordered list --
-    WITHOUT opening and closing <ul> tags.
@@ -287 +349 @@
-        </ul>
-        </li>
-    """
+    if autoescape:
+        from django.utils.html import conditional_escape
+        escaper = conditional_escape
+    else:
+        escaper = lambda x: x
+
-    def _helper(value, tabs):
-        indent = '\t' * tabs
-        if value[1]:
-value[0]
+escaper(value[0])
-                '\n'.join([_helper(v, tabs+1) for v in value[1]]), indent, indent)
-        else:
-
-
+
+
+
+
-
-###################
-# INTEGERS        #
@@ -303 +373 @@
-def add(value, arg):
-    "Adds the arg to the value"
-    return int(value) + int(arg)
+add.is_safe = False
-
-def get_digit(value, arg):
-    """
@@ -322 +393 @@
-        return int(str(value)[-arg])
-    except IndexError:
-        return 0
+get_digit.is_safe = False
-
-###################
-# DATES           #
@@ -335 +407 @@
-    if arg is None:
-        arg = settings.DATE_FORMAT
-    return format(value, arg)
+date.is_safe = False
-
-def time(value, arg=None):
-    "Formats a time according to the given format"
@@ -344 +417 @@
-    if arg is None:
-        arg = settings.TIME_FORMAT
-    return time_format(value, arg)
+time.is_safe = False
-
-def timesince(value, arg=None):
-    'Formats a date as the time since that date (i.e. "4 days, 6 hours")'
@@ -353 +427 @@
-    if arg:
-        return timesince(arg, value)
-    return timesince(value)
+timesince.is_safe = False
-
-def timeuntil(value, arg=None):
-    'Formats a date as the time until that date (i.e. "4 days, 6 hours")'
@@ -363 +438 @@
-    if arg:
-        return timesince(arg, value)
-    return timesince(datetime.now(), value)
+timeuntil.is_safe = False
-
-###################
-# LOGIC           #
@@ -371 +447 @@
-def default(value, arg):
-    "If value is unavailable, use given default"
-    return value or arg
+default.is_safe = False
-
-def default_if_none(value, arg):
-    "If value is None, use given default"
-    if value is None:
-        return arg
-    return value
+default_if_none.is_safe = False
-
-def divisibleby(value, arg):
-    "Returns true if the value is devisible by the argument"
-    return int(value) % int(arg) == 0
+divisibleby.is_safe = False
-
-def yesno(value, arg=None):
-    """
@@ -411 +490 @@
-    if value:
-        return yes
-    return no
+yesno.is_safe = False
-
-###################
-# MISC            #
@@ -429 +509 @@
-    if bytes < 1024 * 1024 * 1024:
-        return "%.1f MB" % (bytes / (1024 * 1024))
-    return "%.1f GB" % (bytes / (1024 * 1024 * 1024))
+filesizeformat.is_safe = True
-
-def pluralize(value, arg='s'):
-    """
@@ -456 +537 @@
-        except TypeError: # len() of unsized object
-            pass
-    return singular_suffix
+pluralize.is_safe = False
-
-def phone2numeric(value):
-    "Takes a phone number and converts it in to its numerical equivalent"
-    from django.utils.text import phone2numeric
-    return phone2numeric(value)
+phone2numeric.is_safe = True
-
-def pprint(value):
-    "A wrapper around pprint.pprint -- for debugging, really"
@@ -469 +552 @@
-        return pformat(value)
-    except Exception, e:
-        return "Error in formatting:%s" % e
+pprint.is_safe = True
-
-# Syntax: register.filter(name of filter, callback)
-register.filter(add)
@@ -497 +581 @@
-register.filter(ljust)
-register.filter(lower)
-register.filter(make_list)
+register.filter(noescape)
-register.filter(phone2numeric)
-register.filter(pluralize)
-register.filter(pprint)

django_autoescape/django/template/defaulttags.py

@@ -4 +4 @@
-from django.template import TemplateSyntaxError, VariableDoesNotExist, BLOCK_TAG_START, BLOCK_TAG_END, VARIABLE_TAG_START, VARIABLE_TAG_END, SINGLE_BRACE_START, SINGLE_BRACE_END
-from django.template import get_library, Library, InvalidTemplateLibrary
-from django.conf import settings
+from django.utils.safestring import mark_safe
-import sys
-
-register = Library()
-
+class AutoEscapeNode(Node):
+    def __init__(self, setting, nodelist):
+        self.setting, self.nodelist = setting, nodelist
+
+    def render(self, context):
+        old_setting = context.autoescape
+        context.autoescape = self.setting
+        output = self.nodelist.render(context)
+        context.autoescape = old_setting
+        if self.setting:
+            return mark_safe(output)
+        else:
+            return output
+
-class CommentNode(Node):
-    def render(self, context):
-        return ''
@@ -318 +333 @@
-        return str(int(round(ratio)))
-
-#@register.tag
+def autoescape(parser, token):
+    """
+    Set autoescape behaviour for this block. Possible values are "on" and "off".
+    """
+    unused, rest = token.contents.split(None, 1)
+    if rest not in ('on', 'off'):
+        raise TemplateSyntaxError("autoescape argument must be 'on' or 'off'")
+    setting = (rest == 'on')
+    nodelist = parser.parse(('endautoescape',))
+    parser.delete_first_token()
+    return AutoEscapeNode(setting, nodelist)
+autoescape = register.tag(autoescape)
+
+#@register.tag
-def comment(parser, token):
-    """
-    Ignore everything between ``{% comment %}`` and ``{% endcomment %}``
@@ -417 +446 @@
-    """
-    _, rest = token.contents.split(None, 1)
-    filter_expr = parser.compile_filter("var|%s" % (rest))
+    for func, unused in filter_expr.filters:
+        if func.__name__ == 'noescape':
+            raise TemplateSyntaxError('"filter noescape" is not permitted.  Use the "autoescape" tag instead.')
-    nodelist = parser.parse(('endfilter',))
-    parser.delete_first_token()
-    return FilterNode(filter_expr, nodelist)

django_autoescape/django/template/__init__.py

@@ -57 +57 @@
-import re
-from inspect import getargspec
-from django.conf import settings
-
+SafeContext, 
-from django.utils.functional import curry
-from django.utils.text import smart_split
+from django.utils.safestring import SafeData, mark_safe
+from django.utils.html import escape
-
-
+SafeContext', '
-
-TOKEN_TEXT = 0
-TOKEN_VAR = 1
@@ -558 +560 @@
-                    arg_vals.append(arg)
-                else:
-                    arg_vals.append(resolve_variable(arg, context))
-
+
+
+
+
+
+
+
+
+
-        return obj
-
-    def args_check(name, func, provided):
@@ -744 +754 @@
-
-    def render(self, context):
-        output = self.filter_expression.resolve(context)
-
+
+
+
+
+
-
-class DebugVariableNode(VariableNode):
-    def render(self, context):
@@ -754 +768 @@
-            if not hasattr(e, 'source'):
-                e.source = self.source
-            raise
-
+
+
+
+
+
-
-def generic_tag_compiler(params, defaults, name, node_class, parser, token):
-    "Returns a template.Node subclass."

django_autoescape/django/utils/html.py

@@ -1 +1 @@
-"HTML utilities suitable for global use."
-
-import re, string
+from django.utils.safestring import SafeData
-
-# Configuration for urlize() function
-LEADING_PUNCTUATION  = ['(', '<', '&lt;']
@@ -27 +28 @@
-        html = str(html)
-    return html.replace('&', '&amp;').replace('<', '&lt;').replace('>', '&gt;').replace('"', '&quot;').replace("'", '&#39;')
-
-
+
+
+
+
+
+
+
+
-    "Converts newlines into <p> and <br />s"
-    value = re.sub(r'\r\n|\r|\n', '\n', value) # normalize newlines
-    paras = re.split('\n{2,}', value)
-
+
+
+
+
-    return '\n\n'.join(paras)
-
-def strip_tags(value):

django_autoescape/django/utils/safestring.py

@@ +1 @@
+"""
+Functions for working with "safe strings": strings that can be display safely
+without further modification in HTML.
+"""
+from django.utils.functional import curry
+
+class SafeData(object):
+    pass
+
+class SafeString(str, SafeData):
+    """
+    A string subclass that has been specifically marked as "safe" for output
+    purposes.
+    """
+    def __add__(self, rhs):
+        """
+        Concatenating a safe string with another safe string or safe unicode
+        object is safe. Otherwise, the result is no longer safe.
+        """
+        if isinstance(rhs, SafeUnicode):
+            return SafeUnicode(self + rhs)
+        elif isinstance(rhs, SafeString):
+            return SafeString(self, rhs)
+        else:
+            return super(SafeString, self).__add__(rhs)
+
+class SafeUnicode(unicode, SafeData):
+    """
+    A unicode subclass that has been specifically marked as "safe" for output
+    purposes.
+    """
+    def __add__(self, rhs):
+        """
+        Concatenating a safe unicode object with another safe string or safe
+        unicode object is safe. Otherwise, the result is no longer safe.
+        """
+        if isinstance(rhs, SafeData):
+            return SafeUnicode(self + rhs)
+        else:
+            return super(SafeUnicode, self).__add__(rhs)
+
+    def _proxy_method(self, *args, **kwargs):
+        """
+        Wrap a call to a normal unicode method up so that we return safe
+        results. The method that is being wrapped is passed in the 'method'
+        argument.
+        """
+        method = kwargs.pop('method')
+        data = method(self, *args, **kwargs)
+        if isinstance(data, str):
+            return SafeString(data)
+        else:
+            return SafeUnicode(data)
+
+    encode = curry(_proxy_method, method = unicode.encode)
+    decode = curry(_proxy_method, method = unicode.decode)
+
+
+def mark_safe(s):
+    """
+    Explicitly mark a string as safe for output purposes. The returned object
+    can be used everywhere a string or unicode object is appropriate.
+
+    Can safely be called multiple times on a single string.
+    """
+    if isinstance(s, SafeData):
+        return s
+    if isinstance(s, str):
+        return SafeString(s)
+    if isinstance(s, unicode):
+        return SafeUnicode(s)
+    raise TypeError, "Input must be str or unicode (got %s)" % type(s)
+

django_autoescape/django/views/debug.py

@@ -1 +1 @@
-from django.conf import settings
-
+SafeContext, 
-from django.utils.html import escape
-from django.http import HttpResponseServerError, HttpResponseNotFound
-import os, re
@@ -118 +118 @@
-            'lineno': '?',
-        }]
-    t = Template(TECHNICAL_500_TEMPLATE)
-
+Safe
-        'exception_type': exc_type.__name__,
-        'exception_value': exc_value,
-        'frames': frames,
@@ -157 +157 @@
-def empty_urlconf(request):
-    "Create an empty URLconf 404 error response."
-    t = Template(EMPTY_URLCONF_TEMPLATE)
-
+Safe
-        'project_name': settings.SETTINGS_MODULE.split('.')[0]
-    })
-    return HttpResponseNotFound(t.render(c), mimetype='text/html')
@@ -295 +295 @@
-
-<div id="summary">
-  <h1>{{ exception_type }} at {{ request.path }}</h1>
-|escape
+
-  <table class="meta">
-    <tr>
-      <th>Request Method:</th>
@@ -340 +340 @@
-<div id="template">
-   <h2>Template error</h2>
-   <p>In template <code>{{ template_info.name }}</code>, error at line <strong>{{ template_info.line }}</strong></p>
-|escape
+
-   <table class="source{% if template_info.top %} cut-top{% endif %}{% ifnotequal template_info.bottom template_info.total %} cut-bottom{% endifnotequal %}">
-   {% for source_line in template_info.source_lines %}
-   {% ifequal source_line.0 template_info.line %}
@@ -367 +367 @@
-          {% if frame.context_line %}
-            <div class="context" id="c{{ frame.id }}">
-              {% if frame.pre_context %}
-|escape
+
-              {% endif %}
-|escape
+
-              {% if frame.post_context %}
-|escape
+
-              {% endif %}
-            </div>
-          {% endif %}
@@ -391 +391 @@
-                {% for var in frame.vars|dictsort:"0" %}
-                  <tr>
-                    <td>{{ var.0 }}</td>
-|escape
+
-                  </tr>
-                {% endfor %}
-              </tbody>
@@ -411 +411 @@
-{% for frame in frames %}
-  File "{{ frame.filename }}" in {{ frame.function }}<br/>
-  {% if frame.context_line %}
-|escape
+
-  {% endif %}
-{% endfor %}<br/>
-&nbsp;&nbsp;{{ exception_type }} at {{ request.path }}<br/>
-|escape
+
-          </td>
-        </tr>
-      </tbody>
@@ -439 +439 @@
-        {% for var in request.GET.items %}
-          <tr>
-            <td>{{ var.0 }}</td>
-|escape
+
-          </tr>
-        {% endfor %}
-      </tbody>
@@ -461 +461 @@
-        {% for var in request.POST.items %}
-          <tr>
-            <td>{{ var.0 }}</td>
-|escape
+
-          </tr>
-        {% endfor %}
-      </tbody>
@@ -483 +483 @@
-        {% for var in request.COOKIES.items %}
-          <tr>
-            <td>{{ var.0 }}</td>
-|escape
+
-          </tr>
-        {% endfor %}
-      </tbody>
@@ -504 +504 @@
-      {% for var in request.META.items|dictsort:"0" %}
-        <tr>
-          <td>{{ var.0 }}</td>
-|escape
+
-        </tr>
-      {% endfor %}
-    </tbody>
@@ -523 +523 @@
-      {% for var in settings.items|dictsort:"0" %}
-        <tr>
-          <td>{{ var.0 }}</td>
-|escape
+
-        </tr>
-      {% endfor %}
-    </tbody>
@@ -590 +590 @@
-      </p>
-      <ol>
-        {% for pattern in urlpatterns %}
-|escape
+
-        {% endfor %}
-      </ol>
-      <p>The current URL, <code>{{ request.path }}</code>, didn't match any of these.</p>
-    {% else %}
-|escape
+
-    {% endif %}
-  </div>
-

django_autoescape/tests/othertests/autoescape.py

@@ +1 @@
+from django.conf import settings
+
+if __name__ == '__main__':
+    # When running this file in isolation, we need to set up the configuration
+    # before importing 'template'.
+    settings.configure()
+
+import templates
+from django import template
+from django.template import loader
+from django.utils.translation import activate, deactivate, install
+from django.utils.tzinfo import LocalTimezone
+from django.utils.safestring import mark_safe
+from datetime import datetime, timedelta
+import traceback
+
+# We want to check all the normal template tests against SafeContext by
+# default. We just update results that would change with autoescaping and add
+# in new tests.
+TEMPLATE_TESTS = templates.TEMPLATE_TESTS.copy()
+
+# SYNTAX --
+# 'template_name': ('template contents', 'context dict', 'expected string output' or Exception class)
+TEMPLATE_TESTS.update({
+
+    ### BASIC SYNTAX ##########################################################
+
+    # Escaped string as argument (this replaces the non-escaped version)
+    'basic-syntax30': (r'{{ var|default_if_none:" endquote\" hah" }}', {"var": None}, ' endquote" hah'),
+
+    # Autoescaping is applied by default
+    'autoescape-basic01': ("{{ first }}", {"first": "<b>first</b>"}, "&lt;b&gt;first&lt;/b&gt;"),
+
+    # Strings (ASCII or unicode) already marked as "safe" are not auto-escaped
+    'autoescape-basic02': ("{{ first }}", {"first": mark_safe("<b>first</b>")}, "<b>first</b>"),
+    'autoescape-basic03': ("{{ first }}", {"first": mark_safe(u"<b>Apple</b>")}, u"<b>Apple</b>"),
+
+
+    ### AUTOESCAPE TAG ########################################################
+    'autoescape-tag01': ("{% autoescape off %}hello{% endautoescape %}", {}, "hello"),
+    'autoescape-tag02': ("{% autoescape off %}{{ first }}{% endautoescape %}", {"first": "<b>hello</b>"}, "<b>hello</b>"),
+    'autoescape-tag03': ("{% autoescape on %}{{ first }}{% endautoescape %}", {"first": "<b>hello</b>"}, "&lt;b&gt;hello&lt;/b&gt;"),
+
+    ### FILTER TAG ############################################################
+
+    # The "noescape" filter cannot work due to internal implementation details
+    # (fortunately, it is equivalent to using the autoescape tag in these
+    # cases).
+    'autoescape-filtertag01': ("{{ first }}{% filter noescape %}{{ first }} x<y{% endfilter %}", {"first": "<a>"}, template.TemplateSyntaxError),
+
+    ### FILTER TESTS ##########################################################
+
+    'ae-filter-addslash01': ("{{ a|addslashes }} {{ b|addslashes }}", {"a": "<a>'", "b": mark_safe("<a>'")}, r"&lt;a&gt;\&#39; <a>\'"),
+
+    'ae-filter-capfirst01': ("{{ a|capfirst }} {{ b|capfirst }}", {"a": "fred>", "b": mark_safe("fred&gt;")}, "Fred&gt; Fred&gt;"),
+
+    # Note that applying fix_ampsersands in autoescape mode leads to double
+    # escaping.
+    'ae-filter-fix_ampersands01': ("{{ a|fix_ampersands }} {{ b|fix_ampersands }}", {"a": "a&b", "b": mark_safe("a&b")}, "a&amp;amp;b a&amp;b"),
+
+    'ae-filter-floatformat01': ("{{ a|floatformat }} {{ b|floatformat }}", {"a": "1.42", "b": mark_safe("1.42")}, "1.4 1.4"),
+
+    # The contents of "linenumbers" is escaped according to the current
+    # autoescape setting.
+    'ae-filter-linenumbers01': ("{{ a|linenumbers }} {{ b|linenumbers }}", {"a": "one\n<two>\nthree", "b": mark_safe("one\n&lt;two&gt;\nthree")}, "1. one\n2. &lt;two&gt;\n3. three 1. one\n2. &lt;two&gt;\n3. three"),
+    'ae-filter-linenumbers02': ("{% autoescape off %}{{ a|linenumbers }} {{ b|linenumbers }}{% endautoescape %}", {"a": "one\n<two>\nthree", "b": mark_safe("one\n&lt;two&gt;\nthree")}, "1. one\n2. <two>\n3. three 1. one\n2. &lt;two&gt;\n3. three"),
+
+    'ae-filter-lower01': ("{{ a|lower }} {{ b|lower }}", {"a": "Apple & banana", "b": mark_safe("Apple &amp; banana")}, "apple &amp; banana apple &amp; banana"),
+
+    # The make_list filter can destroy # existing encoding, so the results are
+    # escaped.
+    'ae-filter-make_list01': ("{{ a|make_list }}", {"a": mark_safe("&")}, "[&#39;&amp;&#39;]"),
+    'ae-filter-make_list02': ('{{ a|make_list|stringformat:"s"|noescape }}', {"a": mark_safe("&")}, "['&']"),
+
+    # Running slugify on a pre-escaped string leads to odd behaviour, but the
+    # result is still safe.
+    'ae-filter-slugify01': ("{{ a|slugify }} {{ b|slugify }}", {"a": "a & b", "b": mark_safe("a &amp; b")}, "a-b a-amp-b"),
+    
+    # Notice that escaping is applied *after* any filters, so the string
+    # formatting here only needs to deal with pre-escaped characters.
+    'ae-filter-stringformat01': ('.{{ a|stringformat:"5s" }}. .{{ b|stringformat:"5s" }}.', {"a": "a<b", "b": mark_safe("a<b")}, ".  a&lt;b. .  a<b."),
+
+    # XXX No test for "title" filter; needs an actual object.
+    
+    'ae-filter-truncatewords01': ('{{ a|truncatewords:"2" }} {{ b|truncatewords:"2"}}', {"a": "alpha & bravo", "b": mark_safe("alpha &amp; bravo")}, "alpha &amp; ... alpha &amp; ..."),
+
+    # The "upper" filter messes up entities (which are case-sensitive), so it's
+    # not safe for non-escaping purposes.
+    'ae-filter-upper01': ('{{ a|upper }} {{ b|upper }}', {"a": "a & b", "b": mark_safe("a &amp; b")}, "A &amp; B A &amp;AMP; B"),
+
+    'ae-filter-urlize01': ('{{ a|urlize }} {{ b|urlize }}', {"a": "http://example.com/x=&y=", "b": mark_safe("http://example.com?x=&y=")}, '<a href="http://example.com/x=&y=" rel="nofollow">http://example.com/x=&y=</a> <a href="http://example.com?x=&y=" rel="nofollow">http://example.com?x=&y=</a>'),
+    'ae-fil